CVE-2020-7715
Prototype Pollution vulnerability in deep-get-set (npm)
What is CVE-2020-7715 About?
This vulnerability in the 'deep-get-set' package allows for Prototype Pollution via its main function, enabling attackers to inject arbitrary properties into JavaScript object prototypes. This can lead to a variety of negative impacts including denial of service or the ability to manipulate application logic. Exploitation is relatively straightforward, typically requiring careful crafting of input data.
Affected Software
Technical Details
The vulnerability, identified as Prototype Pollution, exists in all versions of the 'deep-get-set' package prior to version 1.1.1, specifically within its main function. Prototype Pollution allows an attacker to add or modify properties of the base Object.prototype in JavaScript. By manipulating the input provided to the main function, an attacker can construct a path that targets __proto__ or constructor.prototype. When the 'deep-get-set' package attempts to set a value at such a path, it inadvertently introduces or overwrites properties on the global Object.prototype. Since Object.prototype is the root of all JavaScript objects, any property defined there becomes accessible to all objects, which can lead to various issues. For example, if an attacker defines a property that conflicts with a legitimate application property, they could alter application behavior, bypass security checks, or even trigger denial-of-service conditions by overriding critical functions or properties with malicious values.
What is the Impact of CVE-2020-7715?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, potentially leading to denial of service, data manipulation, or the alteration of application logic.
What is the Exploitability of CVE-2020-7715?
Exploitation of this Prototype Pollution vulnerability is considered to be of moderate complexity. An attacker must provide specially crafted input data that the 'deep-get-set' package processes, specifically targeting __proto__ or constructor.prototype to inject malicious properties. There are typically no direct authentication or specific privilege requirements, as the vulnerability resides in how the package handles user-controlled input. The attack can be initiated remotely if the vulnerable function is exposed through an application's API that accepts external data. The primary constraint is the attacker's ability to supply the malformed input. Risk factors that increase the likelihood of exploitation include applications that deserialize untrusted data (e.g., JSON or URL parameters) and use the 'deep-get-set' package without robust input validation or sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7715?
About the Fix from Resolved Security
The patch adds checks to prevent access to the special keys proto, prototype, and constructor when getting or setting properties, blocking attempts to manipulate JavaScript object prototypes via user-supplied input. This mitigates prototype pollution, the root cause of CVE-2020-7715, by ensuring these keys cannot be used to overwrite or inject properties onto Object.prototype or other critical object structures.
Available Upgrade Options
- deep-get-set
- <1.1.1 → Upgrade to 1.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2020-7715?
Similar Vulnerabilities: CVE-2022-21231 , CVE-2019-10744 , CVE-2020-28284 , CVE-2021-23395 , CVE-2021-23424
