Login Sign Up

CVE-2020-28282

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2020-28282 is a prototype pollution vulnerability in the 'getobject' npm package version 0.1.0 that allows attackers to modify JavaScript object prototypes. This can lead to denial of service, property injection, and potentially remote code execution in applications using this vulnerable library. Any Node.js application using 'getobject' version 0.1.0 is affected.

💻 Affected Systems

Products:
  • getobject npm package
Versions: 0.1.0 only
Operating Systems: All operating systems running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications that use the vulnerable 'getobject' package version 0.1.0. Later versions are not affected.

📦 What is this software?

Getobject by Getobject Project

View all CVEs affecting Getobject →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Denial of service through application crashes or unexpected behavior, with potential for property injection attacks.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented, though prototype pollution remains dangerous.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Prototype pollution vulnerabilities are well-understood and relatively easy to exploit with available proof-of-concept code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.1.1 and later

Vendor Advisory: https://github.com/cowboy/node-getobject/security/advisories

Restart Required: Yes

Instructions:

1. Update package.json to require 'getobject' version 0.1.1 or later. 2. Run 'npm update getobject' or 'yarn upgrade getobject'. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for all user-controlled data passed to getobject functions

Object.freeze() on Prototypes

all

Freeze Object.prototype and other base prototypes to prevent pollution

Object.freeze(Object.prototype);
Object.freeze(Object);

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to detect and block prototype pollution patterns
  • Isolate affected applications in network segments with strict egress filtering

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list getobject' to see if version 0.1.0 is installed

Check Version:

npm list getobject | grep getobject

Verify Fix Applied:

Verify 'npm list getobject' shows version 0.1.1 or later, then test application functionality

📡 Detection & Monitoring

Log Indicators:

  • Unexpected application crashes
  • Unusual property assignments in object logs
  • Error messages related to prototype modifications

Network Indicators:

  • HTTP requests with specially crafted JSON/object payloads
  • Unusual outbound connections from Node.js processes

SIEM Query:

source="application.log" AND ("prototype" OR "__proto__" OR "constructor") AND ("error" OR "crash")

📊 Metadata

CVE ID: CVE-2020-28282
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: December 29, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON