CVE-2020-15256
prototype pollution vulnerability in object-path

prototype pollution No known exploit Fixable By Resolved Security

What is CVE-2020-15256 About?

A prototype pollution vulnerability exists in `object-path` versions <= 0.11.4, specifically affecting the `set()` method when `includeInheritedProps` is explicitly enabled. This can allow attackers to inject or modify properties of `Object.prototype`, potentially leading to privilege escalation, denial of service, or arbitrary code execution. Exploitation requires specific configuration, but it can be highly impactful.

Affected Software

object-path <0.11.5

Technical Details

The vulnerability is a prototype pollution issue found in the `set()` method of the `object-path` library. This issue specifically arises when the `includeInheritedProps` option is set to `true` (available in versions >= 0.11.0) or when using the default `withInheritedProps` instance. In versions < 0.11.0, any usage of `set()` is vulnerable. Prototype pollution occurs when an attacker can inject properties into the `Object.prototype`, which is the base for all JavaScript objects. By manipulating paths through the `set()` method, an attacker can create or modify properties on `Object.prototype`. For example, if an attacker can control a key-value input to `set()`, they might provide a path like `__proto__.pollutedProperty` and a value. This `pollutedProperty` would then be present on all objects in the application, potentially altering their behavior, enabling feature bypasses, or even leading to remote code execution if the application later trusts and executes these properties.

What is the Impact of CVE-2020-15256?

Successful exploitation may allow attackers to inject properties into the global `Object.prototype`, potentially leading to arbitrary code execution, denial of service, or property tampering across the application.

What is the Exploitability of CVE-2020-15256?

Exploitation of this prototype pollution vulnerability requires the attacker to control the input to the `set()` method of the `object-path` library. Furthermore, for versions 0.11.0 and above, the `includeInheritedProps` option must be explicitly enabled (or the `withInheritedProps` instance used), which is a specific configuration prerequisite. No authentication is inherently required for the attacker to supply the malicious input if the application publicly exposes an endpoint that uses the vulnerable `set()` function. The attack is typically remote if the input can be provided via an HTTP request. The complexity is moderate, as it requires understanding how to craft paths that target `__proto__` and how the application uses `object-path`. The main constraint is the specific configuration, but if met, the impact can be severe as it affects the fundamental behavior of JavaScript objects. An application taking user-supplied data and blindly setting properties using the affected `object-path` configuration heightens the risk.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2020-15256?

A Fix by Resolved Security Exists!

About the Fix from Resolved Security

This patch prevents setting object properties with the keys proto and constructor (when the current value is a function), throwing an error instead. This fixes CVE-2020-15256 by blocking prototype pollution attacks, which could otherwise allow malicious users to manipulate the prototype chain and compromise application security.

Available Upgrade Options

  • object-path
    • <0.11.5 → Upgrade to 0.11.5

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-15256?

Similar Vulnerabilities: CVE-2020-8116 , CVE-2020-28283 , CVE-2021-23429 , CVE-2022-21703 , CVE-2023-28155

All Rights reserved 2025
Privacy Policy