CVE-2020-28281 in set-object-value
Summary
by MITRE • 12/30/2020
Prototype pollution vulnerability in 'set-object-value' versions 0.0.0 through 0.0.5 allows an attacker to cause a denial of service and may lead to remote code execution.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/06/2026
Prototype pollution vulnerabilities in javascript libraries represent a critical class of security flaws that can be exploited to manipulate object prototypes and potentially gain unauthorized system access. The specific vulnerability affecting set-object-value versions 0.0.0 through 0.0.5 demonstrates how seemingly innocuous object manipulation functions can become attack vectors when proper input validation is absent. This vulnerability falls under the common weakness enumeration category of CWE-471 where an application modifies a data structure in a way that affects the data structure used by the application or other applications. The flaw occurs when the library fails to properly validate or sanitize object keys during value assignment operations, allowing attackers to inject malicious properties into the prototype chain of objects.
The technical execution of this vulnerability typically involves an attacker providing crafted input that contains prototype-polluting keys such as _proto_ or constructor. When the vulnerable library processes these inputs without proper sanitization, it inadvertently modifies the prototype of the target object, which can have cascading effects throughout the application's object model. This behavior can be leveraged to manipulate object properties that should remain protected, potentially leading to denial of service conditions when the application attempts to process these corrupted objects. The vulnerability's potential for remote code execution arises from the fact that prototype pollution can be combined with other exploitation techniques to achieve arbitrary code execution in certain contexts.
The operational impact of this vulnerability extends beyond simple denial of service scenarios to potentially compromise entire application environments. When an application uses set-object-value to handle user-provided data, an attacker can inject malicious prototype properties that persist across multiple object operations. This persistence means that subsequent operations on objects that inherit from the polluted prototype can be manipulated to execute unintended code paths. The vulnerability is particularly concerning because it can be exploited through various attack vectors including web forms, api endpoints, or any interface that accepts structured data input. According to the attack pattern taxonomy, this represents a prototype pollution attack that can be classified under the MITRE ATT&CK framework as a technique for privilege escalation and code execution.
Mitigation strategies for this vulnerability require immediate patching of the affected library versions to the latest secure releases that properly validate object keys and prevent prototype pollution. Organizations should implement comprehensive input validation at multiple layers including application-level sanitization, web application firewalls, and runtime protections. The implementation of strict object property validation can prevent malicious keys from being processed, while proper access controls and least privilege principles can limit the damage from successful exploitation attempts. Additionally, security monitoring should be enhanced to detect unusual object property modifications that might indicate prototype pollution attacks. The vulnerability serves as a reminder of the importance of secure coding practices and the need for thorough security testing of third-party libraries and dependencies in modern software development environments.