Login Sign Up

CVE-2020-28280

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2020-28280 is a prototype pollution vulnerability in the 'predefine' npm package that allows attackers to modify JavaScript object prototypes, potentially leading to denial of service or remote code execution. This affects any application using vulnerable versions of the predefine library. The vulnerability is particularly dangerous because it can be exploited through user-controlled input.

💻 Affected Systems

Products:
  • predefine npm package
Versions: 0.0.0 through 0.1.2
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using vulnerable versions of predefine is affected regardless of configuration.

📦 What is this software?

Predefine by Predefine Project

View all CVEs affecting Predefine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service through application crashes or instability, with potential for limited code execution in specific configurations.

🟢

If Mitigated

Application instability or crashes without code execution if input validation blocks malicious payloads.

🌐 Internet-Facing: HIGH - Web applications using this library could be exploited through user input without authentication.
🏢 Internal Only: MEDIUM - Internal applications could be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Prototype pollution vulnerabilities are well-understood and exploitation techniques are publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.1.3 and later

Vendor Advisory: https://github.com/bigpipe/predefine/security/advisories

Restart Required: Yes

Instructions:

1. Update package.json to require 'predefine' version 0.1.3 or higher. 2. Run 'npm update predefine' or 'yarn upgrade predefine'. 3. Restart all affected applications.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject any objects with prototype pollution payloads

Object.freeze on prototypes

all

Freeze Object.prototype and other critical prototypes to prevent modification

Object.freeze(Object.prototype);

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user-controlled data
  • Use security monitoring to detect prototype pollution attempts and application crashes

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for predefine version 0.0.0 through 0.1.2

Check Version:

npm list predefine | grep predefine

Verify Fix Applied:

Verify installed version is 0.1.3 or higher using 'npm list predefine'

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with prototype-related errors
  • Unusual object property modifications in logs

Network Indicators:

  • HTTP requests with specially crafted JSON/objects targeting vulnerable endpoints

SIEM Query:

source="application.logs" AND ("prototype" OR "__proto__") AND (error OR crash)

📊 Metadata

CVE ID: CVE-2020-28280
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: December 29, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON