CVE-2020-15256
prototype pollution vulnerability in object-path (npm)

prototype pollution No known exploit Fixable By Resolved Security

What is CVE-2020-15256 About?

A prototype pollution vulnerability exists in `object-path` versions <= 0.11.4, specifically affecting the `set()` method when `includeInheritedProps` is explicitly enabled. This can allow attackers to inject or modify properties of `Object.prototype`, potentially leading to privilege escalation, denial of service, or arbitrary code execution. Exploitation requires specific configuration, but it can be highly impactful.

Affected Software

object-path <0.11.5

Technical Details

The vulnerability is a prototype pollution issue found in the set() method of the object-path library. This issue specifically arises when the includeInheritedProps option is set to true (available in versions >= 0.11.0) or when using the default withInheritedProps instance. In versions < 0.11.0, any usage of set() is vulnerable. Prototype pollution occurs when an attacker can inject properties into the Object.prototype, which is the base for all JavaScript objects. By manipulating paths through the set() method, an attacker can create or modify properties on Object.prototype. For example, if an attacker can control a key-value input to set(), they might provide a path like __proto__.pollutedProperty and a value. This pollutedProperty would then be present on all objects in the application, potentially altering their behavior, enabling feature bypasses, or even leading to remote code execution if the application later trusts and executes these properties.

What is the Impact of CVE-2020-15256?

Successful exploitation may allow attackers to inject properties into the global `Object.prototype`, potentially leading to arbitrary code execution, denial of service, or property tampering across the application.

What is the Exploitability of CVE-2020-15256?

Exploitation of this prototype pollution vulnerability requires the attacker to control the input to the set() method of the object-path library. Furthermore, for versions 0.11.0 and above, the includeInheritedProps option must be explicitly enabled (or the withInheritedProps instance used), which is a specific configuration prerequisite. No authentication is inherently required for the attacker to supply the malicious input if the application publicly exposes an endpoint that uses the vulnerable set() function. The attack is typically remote if the input can be provided via an HTTP request. The complexity is moderate, as it requires understanding how to craft paths that target __proto__ and how the application uses object-path. The main constraint is the specific configuration, but if met, the impact can be severe as it affects the fundamental behavior of JavaScript objects. An application taking user-supplied data and blindly setting properties using the affected object-path configuration heightens the risk.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2020-15256?

A Fix by Resolved Security Exists!
Fix open-source vulnerabilities without upgrading your dependencies.

About the Fix from Resolved Security

This patch prevents setting object properties with the keys proto and constructor (when the current value is a function), throwing an error instead. This fixes CVE-2020-15256 by blocking prototype pollution attacks, which could otherwise allow malicious users to manipulate the prototype chain and compromise application security.

Available Upgrade Options

  • object-path
    • <0.11.5 → Upgrade to 0.11.5

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-15256?

Similar Vulnerabilities: CVE-2020-8116 , CVE-2020-28283 , CVE-2021-23429 , CVE-2022-21703 , CVE-2023-28155

All Rights reserved 2025
Privacy Policy