CVE-2020-35149
Pollution Attack vulnerability in mquery (npm)

Pollution Attack No known exploit

What is CVE-2020-35149 About?

The `lib/utils.js` file in `mquery` before 3.2.3 is vulnerable to a pollution attack. This occurs because special properties like `__proto__` can be copied during merge or clone operations, leading to potential prototype pollution. It enables attackers to inject or modify properties on `Object.prototype`, which could result in various application level impacts, and is moderately easy to exploit.

Affected Software

mquery <3.2.3

Technical Details

The mquery library, specifically its lib/utils.js file in versions prior to 3.2.3, contains a pollution attack vulnerability. This flaw stems from the library's merge or clone operations, which do not adequately sanitize or validate property names. An attacker can craft input that includes special properties such as __proto__ (or constructor.prototype in some contexts). When this input is processed by a merge or clone operation, the special property is inadvertently copied. This allows an attacker to directly access and modify the Object.prototype, thereby injecting or altering properties that will be inherited by all other JavaScript objects in the application. Such manipulation can lead to denial of service, unexpected application behavior, or potentially remote code execution.

What is the Impact of CVE-2020-35149?

Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, which can lead to denial of service, remote code execution, or bypass of security mechanisms.

What is the Exploitability of CVE-2020-35149?

Exploitation of this pollution attack is of medium complexity, requiring the attacker to deliver specially crafted data that is then processed by a merge or clone operation within mquery. No specific authentication is typically required if the vulnerable operation handles unauthenticated input. This is a remote attack vector, where an attacker can influence the data being merged or cloned. Privilege requirements are low, as the attack targets the application's object model. The likelihood of exploitation is higher in applications that heavily rely on dynamic object merging/cloning from untrusted data sources without proper validation or filtering of property names, making it a significant risk.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2020-35149?

Available Upgrade Options

  • mquery
    • <3.2.3 → Upgrade to 3.2.3

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-35149?

Similar Vulnerabilities: CVE-2020-7792 , CVE-2020-7608 , CVE-2019-10747 , CVE-2019-11358 , CVE-2019-16782

All Rights reserved 2025
Privacy Policy