CVE-2020-28503
Prototype Pollution vulnerability in copy-props
What is CVE-2020-28503 About?
The 'copy-props' package before 2.0.5 is susceptible to Prototype Pollution through its main functionality. This vulnerability allows an attacker to inject or modify properties of 'Object.prototype', potentially leading to denial of service or remote code execution. Exploitation is relatively simple if an attacker can control input to the package.
Affected Software
Technical Details
The 'copy-props' package, specifically versions before 2.0.5, contains a Prototype Pollution vulnerability within its core functionality. When the package is used to copy object properties, certain input structures, particularly those involving the '__proto__' key, are not properly sanitized or handled. This allows an attacker to inject properties directly into 'Object.prototype', effectively modifying the behavior of all JavaScript objects. Such modifications can be used to overwrite critical functions, create unexpected object properties, leading to application crashes or potentially execution of arbitrary code.
What is the Impact of CVE-2020-28503?
Successful exploitation may allow attackers to modify global object prototypes, leading to denial of service conditions, data corruption, or potentially remote code execution in the affected application.
What is the Exploitability of CVE-2020-28503?
Exploiting this vulnerability involves providing carefully crafted input that utilizes the '__proto__' property to the 'copy-props' functionality. The complexity is low to moderate, relying on the attacker's ability to manipulate input data. Authentication by the attacker is typically not required, nor are elevated privileges. This vulnerability can be triggered via local or remote means, depending on where the 'copy-props' function processes external input. A key constraint is the application's use of the vulnerable 'copy-props' package where untrusted input is processed. Applications that widely use general-purpose object copying utilities are more exposed.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-28503?
About the Fix from Resolved Security
The patch adds a check to prevent properties named "proto" or "constructor" from being set on objects during deep property assignment, which mitigates prototype pollution attacks. This fix for CVE-2020-28503 blocks attackers from injecting properties into Object.prototype or Function.prototype, thus protecting all objects from being maliciously altered via crafted input.
Available Upgrade Options
- copy-props
- <2.0.5 → Upgrade to 2.0.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088047
- https://github.com/gulpjs/copy-props/pull/7
- https://github.com/gulpjs/copy-props/commit/2c738f5c52cfb384b43d977a56a3ab7ce465df9b
- https://snyk.io/vuln/SNYK-JS-COPYPROPS-1082870
- https://osv.dev/vulnerability/GHSA-897m-rjf5-jp39
- https://github.com/gulpjs/copy-props/pull/7
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088047
- https://snyk.io/vuln/SNYK-JS-COPYPROPS-1082870
- https://nvd.nist.gov/vuln/detail/CVE-2020-28503
What are Similar Vulnerabilities to CVE-2020-28503?
Similar Vulnerabilities: CVE-2020-7637 , CVE-2020-28282 , CVE-2020-7660 , CVE-2019-11358 , CVE-2019-10747
