CVE-2020-7707
Prototype Pollution vulnerability in property-expr (npm)
What is CVE-2020-7707 About?
The `property-expr` package before 2.0.3 is vulnerable to Prototype Pollution via its `setter` function. This allows an attacker to modify `Object.prototype`, leading to potential arbitrary code execution or denial of service by affecting all JavaScript objects. Exploitation is relatively straightforward if an attacker can control the input to the vulnerable function.
Affected Software
Technical Details
The property-expr package, in versions prior to 2.0.3, contains a Prototype Pollution vulnerability within its setter function. This function is typically used to dynamically set properties on objects based on a property expression string. The flaw lies in how the setter function parses and applies these property expressions. An attacker can craft a malicious property expression string that includes the __proto__ key. When this crafted string is processed by the setter function, it bypasses intended property assignment logic and instead injects or modifies properties directly on Object.prototype. This global modification affects all JavaScript objects, allowing an attacker to introduce arbitrary attributes and values into the object's prototype chain.
What is the Impact of CVE-2020-7707?
Successful exploitation may allow attackers to inject properties into all JavaScript objects, manipulate application logic, bypass security controls, and potentially achieve remote code execution or cause a denial of service.
What is the Exploitability of CVE-2020-7707?
Exploitation is of low to medium complexity, requiring an attacker to be able to provide specially crafted input that is processed by the setter function of the property-expr package. There are no explicit authentication or privilege requirements mentioned. This is a remote exploitation scenario if the application exposes an interface that takes user-controlled strings and feeds them into the setter function. The main prerequisite is the ability to inject a property expression string containing __proto__. The impact of successful exploitation is broad, affecting all JavaScript objects within the application, and the ease of triggering this primitive makes it a significant risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7707?
About the Fix from Resolved Security
The patch prevents assignment to object properties named __proto__, constructor, or prototype, blocking setters from modifying these sensitive keys. This mitigates prototype pollution, which is the root cause of CVE-2020-7707, by ensuring attackers cannot alter object prototypes and thereby compromise application security.
Available Upgrade Options
- property-expr
- <2.0.3 → Upgrade to 2.0.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-598857
- https://snyk.io/vuln/SNYK-JS-PROPERTYEXPR-598800
- https://github.com/jquense/expr/commit/df846910915d59f711ce63c1f817815bceab5ff7
- https://github.com/jquense/expr/commit/df846910915d59f711ce63c1f817815bceab5ff7
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-598857
- https://snyk.io/vuln/SNYK-JS-PROPERTYEXPR-598800
- https://nvd.nist.gov/vuln/detail/CVE-2020-7707
- https://osv.dev/vulnerability/GHSA-6fw4-hr69-g3rv
What are Similar Vulnerabilities to CVE-2020-7707?
Similar Vulnerabilities: CVE-2020-7774 , CVE-2020-7598 , CVE-2020-36632 , CVE-2021-23429 , CVE-2019-10744
