CVE-2020-8237
Prototype Pollution vulnerability in json-bigint (npm)

Prototype Pollution No known exploit Fixable By Resolved Security

What is CVE-2020-8237 About?

This is a Prototype Pollution vulnerability in the 'json-bigint' npm package, potentially leading to a denial-of-service (DoS) attack. An attacker can inject properties into the JavaScript prototype chain, affecting globally shared objects. Exploitation is moderately complex, requiring knowledge of how to manipulate JSON inputs.

Affected Software

json-bigint <1.0.0

Technical Details

A Prototype Pollution vulnerability exists in the 'json-bigint' npm package prior to version 1.0.0. This type of vulnerability allows an attacker to add or modify properties of the Object.prototype, which is the base prototype for all JavaScript objects. By injecting malicious properties directly into Object.prototype, an attacker can influence the behavior of any object in the application that inherits from Object.prototype, which includes most objects. This can lead to various issues, including denial-of-service attacks by overriding critical methods or properties, or potentially remote code execution in some contexts, although the description specifies DoS.

What is the Impact of CVE-2020-8237?

Successful exploitation may allow attackers to cause a denial-of-service (DoS) condition by altering global object prototypes, leading to application instability or crashes.

What is the Exploitability of CVE-2020-8237?

Exploitation of this prototype pollution vulnerability requires the attacker to submit a specially crafted JSON input that is processed by the 'json-bigint' package. The attacker needs to be able to control parts of the JSON input to inject properties into Object.prototype. Authentication requirements depend on whether the JSON input is processed from an unauthenticated source. Privilege levels are generally not a factor as the attack targets the JavaScript runtime environment. This is typically a remote vulnerability, assuming the application parses attacker-controlled JSON inputs. The complexity lies in understanding the processing flow of JSON data and how to formulate the input to achieve prototype pollution effectively for a denial-of-service impact.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2020-8237?

A Fix by Resolved Security Exists!
Fix open-source vulnerabilities without upgrading your dependencies.

About the Fix from Resolved Security

This patch prevents JSON objects from defining the special keys __proto__ and constructor (including their Unicode-escaped variants) unless explicitly allowed by user-configurable options. By blocking or ignoring these properties, it mitigates prototype pollution, which is the core issue in CVE-2020-8237, thereby preventing attackers from manipulating the prototype chain of JavaScript objects through crafted JSON input.

Available Upgrade Options

  • json-bigint
    • <1.0.0 → Upgrade to 1.0.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-8237?

Similar Vulnerabilities: CVE-2023-45136 , CVE-2023-39296 , CVE-2022-25912 , CVE-2022-25860 , CVE-2021-23518

All Rights reserved 2025
Privacy Policy