Login Sign Up

CVE-2020-28276

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

This is a prototype pollution vulnerability in the 'deep-set' npm package versions 1.0.0 through 1.0.1. Attackers can manipulate object prototypes to cause denial of service or potentially achieve remote code execution. Any application using these vulnerable versions of the deep-set library is affected.

💻 Affected Systems

Products:
  • deep-set npm package
Versions: 1.0.0 through 1.0.1
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any Node.js application that imports and uses the vulnerable deep-set package is affected regardless of configuration.

📦 What is this software?

Deep Set by Deep Set Project

View all CVEs affecting Deep Set →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service through application crashes or instability, with potential for limited code execution in specific configurations.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only causing application errors.

🌐 Internet-Facing: HIGH - Web applications using this library could be exploited remotely without authentication.
🏢 Internal Only: MEDIUM - Internal applications could still be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Prototype pollution vulnerabilities are well-understood and often have public proof-of-concept exploits available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.2 and later

Vendor Advisory: https://github.com/klaemo/deep-set/security/advisories

Restart Required: Yes

Instructions:

1. Update package.json to specify 'deep-set': '^1.0.2' or higher. 2. Run 'npm update deep-set' or 'yarn upgrade deep-set'. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to prevent malicious object manipulation.

Object.freeze on prototypes

all

Freeze Object.prototype to prevent prototype pollution attacks.

Object.freeze(Object.prototype);

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user-controlled data
  • Use application firewalls or reverse proxies to filter malicious payloads
  • Isolate the vulnerable application in a restricted network segment
  • Monitor for unusual application behavior or crashes

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for deep-set version 1.0.0 or 1.0.1, or run 'npm list deep-set' in your project directory.

Check Version:

npm list deep-set | grep deep-set

Verify Fix Applied:

Verify deep-set version is 1.0.2 or higher using 'npm list deep-set', then test application functionality.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes, unexpected errors in Node.js logs, unusual object property modifications

Network Indicators:

  • Unusual HTTP requests with crafted JSON payloads targeting deep-set functionality

SIEM Query:

source="application.logs" AND ("deep-set" OR "prototype pollution" OR "Object.prototype") AND (error OR crash OR exception)

📊 Metadata

CVE ID: CVE-2020-28276
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: December 29, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON