CVE-2020-28499
Prototype Pollution vulnerability in merge
What is CVE-2020-28499 About?
This is a prototype pollution vulnerability found in all versions of the 'merge' package prior to 2.1.1, specifically via the `_recursiveMerge` function. It enables an attacker to inject or modify properties of core JavaScript objects, potentially leading to denial of service, data manipulation, or arbitrary code execution. Exploitation is straightforward for an attacker who can control the input to the vulnerable function.
Affected Software
Technical Details
The `_recursiveMerge` function within the 'merge' package is susceptible to prototype pollution. An attacker can craft input that, when processed by this function, allows them to add or modify properties on the `Object.prototype`. This means that any object in the application that inherits from `Object.prototype` (which is almost all JavaScript objects) will inherit these malicious properties, leading to altered behavior, property collisions, or method overwriting that can disrupt application execution or facilitate further attacks.
What is the Impact of CVE-2020-28499?
Successful exploitation may allow attackers to manipulate data, bypass security checks, achieve arbitrary code execution, or cause denial of service by corrupting global object prototypes.
What is the Exploitability of CVE-2020-28499?
Exploiting this prototype pollution vulnerability requires the attacker to supply controlled input that eventually gets processed by the `_recursiveMerge` function. The complexity of exploitation is low, as it typically involves sending a JSON or similar data structure with specially crafted keys like '__proto__' or 'constructor.prototype'. No specific authentication or high privileges are needed beyond the ability to interact with an application that uses the vulnerable 'merge' package. This can be exploited remotely if the input is processed server-side. The presence of functions performing deep merges without proper validation significantly raises the likelihood of exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-28499?
About the Fix from Resolved Security
The patch prevents merging of properties named "proto", "constructor", or "prototype", thereby blocking attacks that abuse these properties to achieve prototype pollution. This directly mitigates vulnerability CVE-2020-28499, which allowed an attacker to modify Object.prototype via recursive merging, potentially leading to denial-of-service or arbitrary code execution.
Available Upgrade Options
- merge
- <2.1.1 → Upgrade to 2.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JS-MERGE-1042987
- https://github.com/yeikos/js.merge/blob/master/src/index.ts%23L64
- https://vuldb.com/?id.170146
- https://github.com/yeikos/js.merge/commit/7b0ddc2701d813f2ba289b32d6a4b9d4cc235fb4
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1071049
- https://snyk.io/vuln/SNYK-JS-MERGE-1042987
- https://nvd.nist.gov/vuln/detail/CVE-2020-28499
- https://github.com/yeikos/js.merge/blob/56ca75b2dd0f2820f1e08a49f62f04bbfb8c5f8f/src/index.ts#L64
- https://osv.dev/vulnerability/GHSA-7wpw-2hjm-89gp
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1071049
What are Similar Vulnerabilities to CVE-2020-28499?
Similar Vulnerabilities: CVE-2020-7751 , CVE-2020-8116 , CVE-2021-23406 , CVE-2021-23424 , CVE-2022-24434
