CVE-2020-7792
Prototype Pollution vulnerability in mout (npm)
What is CVE-2020-7792 About?
This vulnerability affects the 'mout' package's deepFillIn and deepMixIn functions, leading to Prototype Pollution. Attackers can modify the properties of Object.prototype, which can result in denial of service, remote code execution, or security feature bypass, and is relatively easy to exploit with control over input keys.
Affected Software
Technical Details
The 'mout' package, across all its versions, contains a Prototype Pollution vulnerability within its deepFillIn and deepMixIn functions. These functions are intended to recursively fill or mix properties into a target object. The flaw stems from the fact that the key used to access target objects recursively within these functions is not properly validated or sanitized. An attacker can supply a specially crafted key, such as 'proto', to directly access and modify the Object.prototype. By manipulating Object.prototype, an attacker can inject or alter properties that will subsequently be inherited by all other objects, leading to widespread changes in application behavior or denial of service.
What is the Impact of CVE-2020-7792?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, leading to denial of service, remote code execution, or bypass of security mechanisms depending on application context and implementation.
What is the Exploitability of CVE-2020-7792?
Exploitation of this vulnerability is of medium complexity, requiring the attacker to control the keys passed to the deepFillIn or deepMixIn functions. No authentication is typically required if the vulnerable function processes untrusted input, making it a remote attack vector. The primary prerequisite is that the application uses the 'mout' package and processes user-controlled input through the vulnerable functions. Privilege requirements are generally low, as the attack targets the application logic rather than system-level access. The risk factor increases significantly in applications that deserialize untrusted data or handle dynamic object generation from external sources without proper input validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7792?
About the Fix from Resolved Security
This patch prevents setting object properties named "proto", "prototype", or "constructor", which are common vectors for prototype pollution attacks. By adding this check, it mitigates the risk addressed in CVE-2020-7792, where malicious input could manipulate an object's prototype chain, potentially leading to arbitrary code execution or security bypasses.
Available Upgrade Options
- mout
- <1.2.3 → Upgrade to 1.2.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-pc58-wgmc-hfjr
- https://snyk.io/vuln/SNYK-JS-MOUT-1014544
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1050374
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050373
- https://github.com/mout/mout/blob/master/src/object/deepMixIn.js
- https://github.com/mout/mout/blob/master/src/object/deepFillIn.js
- https://snyk.io/vuln/SNYK-JS-MOUT-1014544
- https://nvd.nist.gov/vuln/detail/CVE-2020-7792
- https://github.com/mout/mout/blob/master/src/object/deepMixIn.js
- https://github.com/mout/mout/commit/3fecf1333e6d71ae72edf48c71dc665e40df7605
What are Similar Vulnerabilities to CVE-2020-7792?
Similar Vulnerabilities: CVE-2020-7608 , CVE-2020-35149 , CVE-2019-10747 , CVE-2019-11358 , CVE-2019-16782
