CVE-2020-28495: Improperly Controlled Modification of Object Prototype Attributes

February 2, 2021 (updated February 5, 2021)

The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.

References

nvd.nist.gov/vuln/detail/CVE-2020-28495

Code Behaviors & Features

Detect and mitigate CVE-2020-28495 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →