Login Sign Up

CVE-2020-28449

8.6 HIGH
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2020-28449 is a prototype pollution vulnerability in the decal.js package's set function that allows attackers to modify object prototypes. This affects all applications using any version of the decal package, potentially leading to remote code execution or denial of service.

💻 Affected Systems

Products:
  • decal.js
Versions: All versions
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using the decal package's set function is vulnerable regardless of configuration.

📦 What is this software?

Decal by Decal Project

View all CVEs affecting Decal →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service, application crashes, or unauthorized data manipulation.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing in place.

🌐 Internet-Facing: HIGH - Web applications using decal.js are directly exposed to exploitation.
🏢 Internal Only: MEDIUM - Internal applications still vulnerable but with reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires attacker-controlled input to the vulnerable set function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: https://github.com/gigafied/decal.js/security/advisories

Restart Required: No

Instructions:

1. Remove decal package from dependencies. 2. Find alternative library. 3. Update package.json. 4. Run npm install.

🔧 Temporary Workarounds

Input validation wrapper

all

Wrap decal.set calls with strict input validation to reject malicious payloads

// Implement custom validation before calling decal.set(obj, path, value)

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user inputs
  • Deploy web application firewall with prototype pollution detection rules

🔍 How to Verify

Check if Vulnerable:

Check package.json for decal dependency: grep -r 'decal' package.json

Check Version:

npm list decal

Verify Fix Applied:

Verify decal is removed from package.json and node_modules

📡 Detection & Monitoring

Log Indicators:

  • Unusual object property modifications
  • Application crashes with prototype-related errors

Network Indicators:

  • HTTP requests with specially crafted JSON payloads

SIEM Query:

source=web_logs AND (uri_path LIKE "%set%" OR post_data LIKE "%__proto__%" OR post_data LIKE "%constructor%")

📊 Metadata

CVE ID: CVE-2020-28449
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Published: February 4, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON