Login Sign Up

CVE-2020-28268

7.5 HIGH
Remote Code Execution Denial of Service

📋 TL;DR

This CVE describes a prototype pollution vulnerability in the 'controlled-merge' npm package versions 1.0.0 through 1.2.0. Attackers can manipulate object prototypes to cause denial of service or potentially achieve remote code execution. Anyone using affected versions of this package in their Node.js applications is vulnerable.

💻 Affected Systems

Products:
  • controlled-merge npm package
Versions: 1.0.0 through 1.2.0
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any Node.js application using vulnerable versions of controlled-merge is affected regardless of configuration.

📦 What is this software?

Controlled Merge by Controlled Merge Project

View all CVEs affecting Controlled Merge →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution allowing complete system compromise and data exfiltration.

🟠

Likely Case

Denial of service through application crashes or resource exhaustion.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing in place.

🌐 Internet-Facing: HIGH - Web applications using this package could be exploited remotely.
🏢 Internal Only: MEDIUM - Internal applications could be exploited by authenticated users.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Prototype pollution vulnerabilities are well-understood and relatively easy to exploit with available proof-of-concepts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.1 and later

Vendor Advisory: https://github.com/hlfshell/controlled-merge/commit/5a4b2e9ffe5a0be7f8843d4ab038599d3ae5f9d4

Restart Required: Yes

Instructions:

1. Update package.json to require 'controlled-merge' version '^1.2.1'. 2. Run 'npm update controlled-merge'. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject objects with prototype pollution patterns.

Use Object.create(null)

all

Create objects without prototype inheritance where possible to prevent pollution.

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user-controlled objects
  • Isolate the vulnerable component in a sandboxed environment with limited permissions

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list controlled-merge' to see installed version.

Check Version:

npm list controlled-merge

Verify Fix Applied:

Verify version is 1.2.1 or higher with 'npm list controlled-merge' and test with known exploit payloads.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes, unexpected object property modifications, memory exhaustion

Network Indicators:

  • Unusual HTTP requests with nested object payloads

SIEM Query:

source="application.log" AND ("prototype" OR "__proto__") AND ("controlled-merge" OR "merge")

📊 Metadata

CVE ID: CVE-2020-28268
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1321
Published: November 15, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28268, you might also want to check these:

CVE-2020-12079 10.0

CVE-2020-12079 is a critical sandbox escape vulnerability in Beaker Browser versions before 0.8.9 th...

Same vulnerability type (CWE-1321)
CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)