CVE-2020-36632
prototype pollution vulnerability in flat (npm)
What is CVE-2020-36632 About?
This vulnerability is a critical prototype pollution flaw in the `flat` package up to version 5.0.0, specifically in its `unflatten` function. It allows for improperly controlled modification of object prototype attributes, enabling remote attackers to inject or modify properties on `Object.prototype`, potentially leading to severe consequences. Exploitation is relatively straightforward for an attacker who can supply crafted input.
Affected Software
Technical Details
The flat package, specifically in versions up to 5.0.0, is vulnerable to prototype pollution through its unflatten function, located in index.js. The unflatten function is designed to reconstruct nested JavaScript objects from a flattened representation. However, it lacks proper validation and sanitization of input keys. An attacker can craft input that includes specific keys like __proto__ in the flattened structure. When unflatten processes this input, it will inadvertently modify or add properties directly to Object.prototype. This means that any object created or existing in the JavaScript environment will inherit these attacker-controlled properties, leading to widespread impact across the application.
What is the Impact of CVE-2020-36632?
Successful exploitation may allow attackers to inject properties into all JavaScript objects, manipulate application logic, bypass security controls, and potentially achieve remote code execution or cause a denial of service.
What is the Exploitability of CVE-2020-36632?
Exploitation is of low to medium complexity, requiring an attacker to be able to supply crafted input that will be processed by the unflatten function of the flat package. The vulnerability can be initiated remotely, meaning no local access is explicitly required, given the application exposes an interface that uses unflatten with user-controlled data (e.g., deserializing JSON from a request body). There are no explicit authentication or privilege requirements. The main prerequisite is the ability to inject keys and values into the flattened object structure that unflatten processes. The widespread nature of prototype pollution makes it a critical flaw with high potential for impact once exploited.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-36632?
About the Fix from Resolved Security
The patch prevents keys named "proto" from being processed during unflattening, blocking the assignment of properties to Object.prototype. This fixes CVE-2020-36632 by mitigating prototype pollution, which could otherwise allow attackers to manipulate the JavaScript object prototype and potentially escalate privileges or alter application behavior.
Available Upgrade Options
- flat
- <5.0.1 → Upgrade to 5.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2020-36632
- https://vuldb.com/?id.216777
- https://github.com/hughsk/flat/issues/105
- https://github.com/hughsk/flat
- https://osv.dev/vulnerability/GHSA-2j2x-2gpw-g8fm
- https://github.com/hughsk/flat/commit/20ef0ef55dfa028caddaedbcb33efbdb04d18e13
- https://github.com/hughsk/flat/releases/tag/5.0.1
- https://github.com/hughsk/flat/pull/106
- https://vuldb.com/?ctiid.216777
- https://github.com/hughsk/flat/issues/105
What are Similar Vulnerabilities to CVE-2020-36632?
Similar Vulnerabilities: CVE-2020-7598 , CVE-2020-7774 , CVE-2020-7707 , CVE-2021-23429 , CVE-2019-10744
