CVE-2020-28478
Prototype Pollution vulnerability in gsap (npm)
What is CVE-2020-28478 About?
A prototype pollution vulnerability exists in gsap, affecting all versions before 3.6.0. This flaw allows an attacker to inject arbitrary properties into JavaScript object prototypes, which can lead to unpredictable application behavior or further exploitation for denial of service or remote code execution. Exploitation requires delivering specially crafted input that is processed by the vulnerable component.
Affected Software
Technical Details
The gsap library, in versions prior to 3.6.0, contains a prototype pollution vulnerability. This type of vulnerability typically arises when an application merges or extends objects in a way that doesn't properly sanitize keys, allowing an attacker to inject __proto__ as a property name. When gsap processes certain inputs or configuration objects, it may recursively merge properties, and if __proto__ is encountered as a key in the input, an attacker can then define new properties on the global Object.prototype. These newly defined properties will then become available on all subsequent JavaScript objects, potentially altering their expected behavior, leading to type confusion errors, unintended method calls, or unexpected data manipulations throughout the application. The exact vector would depend on where gsap's object merging or manipulation functions are exposed to user-controlled data.
What is the Impact of CVE-2020-28478?
Successful exploitation may allow attackers to alter application logic, bypass security controls, cause denial of service, or enable further attacks such as arbitrary code execution through corrupted JavaScript object prototypes.
What is the Exploitability of CVE-2020-28478?
Exploitation requires crafting specific input that, when processed by gsap, triggers the prototype pollution. The complexity can range from moderate to complex, depending on how gsap is used within the target application and which functions expose the vulnerable merging logic. No explicit authentication is required if the vulnerable functionality is exposed to unauthenticated users. This is typically a remote attack if the input can be supplied over the network. The primary prerequisite is that the application uses gsap in a way that allows attacker-controlled data to reach its object manipulation functions. The existence of a proof of concept indicates clear feasibility for exploitation, and the risk increases when gsap is used to process complex, untrusted data structures.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| NetJBS | Link | PoC for CVE-2020-28478 |
What are the Available Fixes for CVE-2020-28478?
Available Upgrade Options
- gsap
- <3.6.0 → Upgrade to 3.6.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JS-GSAP-1054614
- https://github.com/greensock/GSAP/blob/master/src/gsap-core.js%23L147
- https://github.com/greensock/GSAP/blob/master/src/gsap-core.js#L150
- https://github.com/greensock/GSAP/releases/tag/3.6.0
- https://nvd.nist.gov/vuln/detail/CVE-2020-28478
- https://snyk.io/vuln/SNYK-JS-GSAP-1054614
- https://osv.dev/vulnerability/GHSA-6g8v-hpgw-h2v7
- https://github.com/greensock/GSAP/blob/master/src/gsap-core.js%23L147
- https://www.npmjs.com/package/gsap/v/3.6.0
What are Similar Vulnerabilities to CVE-2020-28478?
Similar Vulnerabilities: CVE-2020-28472 , CVE-2020-28458 , CVE-2019-11358 , CVE-2019-7609 , CVE-2021-23337
