CVE-2020-8116
Prototype Pollution vulnerability in dot-prop
What is CVE-2020-8116 About?
This is a prototype pollution vulnerability in the 'dot-prop' npm package, affecting versions before 4.2.1 and 5.x before 5.1.1. It allows an attacker to inject arbitrary properties into JavaScript objects. Such injections can lead to various security issues, including arbitrary code execution or privilege escalation. Exploitation is generally uncomplicated if an attacker can control input to the vulnerable package.
Affected Software
- dot-prop
- <4.2.1
- >5.0.0, <5.1.1
Technical Details
The 'dot-prop' package, which typically accesses and sets nested object properties using dot notation, is susceptible to prototype pollution. An attacker can supply a specially crafted property path (e.g., using `__proto__` or `constructor.prototype`) that, when processed by 'dot-prop', allows them to add or modify properties on the global `Object.prototype`. This means that any object created in the application that inherits from `Object.prototype` will be affected, potentially altering its behavior, allowing property overwrites, or enabling method injection, which can lead to privilege escalation or arbitrary code execution.
What is the Impact of CVE-2020-8116?
Successful exploitation may allow attackers to tamper with application logic, bypass security measures, cause denial of service, or achieve remote code execution, depending on how the application uses affected objects.
What is the Exploitability of CVE-2020-8116?
Exploitation of this prototype pollution vulnerability typically requires an attacker to provide malicious input that includes prototype-chain manipulating strings (e.g., '__proto__.malicious_prop'). The complexity is low as it often involves sending crafted JSON or form data. No prior authentication or specific privileges are usually needed, provided the attacker can interact with an application that processes user input via the 'dot-prop' package. This can be a remote vulnerability if the input is processed server-side. The most significant risk factor is the application's failure to sanitize or validate user-supplied property names and values before they are used by 'dot-prop'.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-8116?
About the Fix from Resolved Security
This patch prevents access to dangerous object properties by checking path segments for CVE-2020-8116 vectors like "proto", "prototype", and "constructor", aborting any operation if they are present. This blocks prototype pollution attacks, where malicious input could modify the prototype chain, by ensuring these keys cannot be reached or set via the library’s API.
Available Upgrade Options
- dot-prop
- <4.2.1 → Upgrade to 4.2.1
- dot-prop
- >5.0.0, <5.1.1 → Upgrade to 5.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2
- https://github.com/advisories/GHSA-ff7x-qrg7-qggm
- https://hackerone.com/reports/719856
- https://github.com/sindresorhus/dot-prop/commit/c914124f418f55edea27928e89c94d931babe587
- https://github.com/sindresorhus/dot-prop
- https://github.com/sindresorhus/dot-prop/tree/v4
- https://github.com/sindresorhus/dot-prop/issues/63
- https://nvd.nist.gov/vuln/detail/CVE-2020-8116
- https://osv.dev/vulnerability/GHSA-ff7x-qrg7-qggm
- https://github.com/sindresorhus/dot-prop/tree/v4
What are Similar Vulnerabilities to CVE-2020-8116?
Similar Vulnerabilities: CVE-2020-7751 , CVE-2020-28499 , CVE-2019-10747 , CVE-2019-11358 , CVE-2020-15250
