CVE-2020-7751
Prototype Pollution vulnerability in pathval
What is CVE-2020-7751 About?
This is a prototype pollution vulnerability affecting all versions of the 'pathval' package under 1.1.1. It allows an attacker to inject arbitrary properties into JavaScript objects, which can lead to various security bypasses or remote code execution. Exploitation is generally easy given the nature of prototype pollution.
Affected Software
Technical Details
The vulnerability lies within the 'pathval' package where an attacker can manipulate an object's prototype. By injecting malicious properties into the prototype of a base JavaScript object, an attacker can impact all objects inheriting from that prototype. This can lead to unexpected behavior, property overwriting, or even execution of arbitrary code if application logic relies on manipulated properties or methods derived from the prototype chain.
What is the Impact of CVE-2020-7751?
Successful exploitation may allow attackers to alter application logic, bypass security controls, perform denial of service, or achieve remote code execution depending on the application's implementation and how it processes objects.
What is the Exploitability of CVE-2020-7751?
Exploitation of this prototype pollution vulnerability typically requires an attacker to provide specially crafted input that can traverse or modify object prototypes. The complexity is generally low, as it often involves providing dot-notation paths in data that the application processes. No authentication is usually required at the point of vulnerability, but the attacker needs to be able to supply input that is processed by the vulnerable package. Remote exploitation is possible if the application processes untrusted input remotely. Lack of proper input validation significantly increases the likelihood of successful exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7751?
Available Upgrade Options
- pathval
- <1.1.1 → Upgrade to 1.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JS-PATHVAL-596926
- https://github.com/chaijs/pathval/pull/58/files
- https://github.com/chaijs/pathval/releases/tag/v1.1.1
- https://github.com/chaijs/pathval
- https://osv.dev/vulnerability/GHSA-g6ww-v8xp-vmwg
- https://github.com/chaijs/pathval/pull/58/commits/21a9046cfa0c2697cb41990f3b4316db410e6c8a
- https://snyk.io/vuln/SNYK-JS-PATHVAL-596926
- https://github.com/chaijs/pathval/pull/58/files
- https://nvd.nist.gov/vuln/detail/CVE-2020-7751
What are Similar Vulnerabilities to CVE-2020-7751?
Similar Vulnerabilities: CVE-2020-28499 , CVE-2020-8116 , CVE-2019-10747 , CVE-2019-11358 , CVE-2020-15250
