Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in object-path
CVE-2020-15256
- object-path
Summary
The package object-path has a Prototype Pollution vulnerability affecting the "set()" method. The vulnerability is limited to the "includeInheritedProps" mode, which has to be explicitly enabled by creating a new instance of "object-path" and setting the option "includeInheritedProps: true," or by using the default "withInheritedProps" instance. As a workaround, don't use the "includeInheritedProps: true" option or the "withInheritedProps" instance if using a version above 0.11.0. This issue affects versions prior to 0.11.5.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-1321 - Prototype Pollution
Prototype pollution is one of the lesser-known vulnerabilities. It allows attackers to abuse the rules of JavaScript by injecting properties into the general object “Object” in JS. Modifying the prototype of “Object” affects the behavior of all objects in the entire app, potentially resulting in denial of service, arbitrary code execution, cross-site scripting, etc.
References
Advisory Timeline
- Published
