CVE-2020-28471 – CVE-2020-28471 is a prototype pollution vulnera... (How to Fix)

Q: What is the severity of CVE-2020-28471?

CVE-2020-28471 has a CVSS score of 7.3 (HIGH). CVE-2020-28471 is a prototype pollution vulnerability in the properties-reader npm package that allows attackers to inject arbitrary properties into JavaScript objects. This affects applications using properties-reader to parse .properties files, potentially leading to denial of service or remote code execution. Any Node.js application using vulnerable versions of this package is affected.

📋 TL;DR

CVE-2020-28471 is a prototype pollution vulnerability in the properties-reader npm package that allows attackers to inject arbitrary properties into JavaScript objects. This affects applications using properties-reader to parse .properties files, potentially leading to denial of service or remote code execution. Any Node.js application using vulnerable versions of this package is affected.

💻 Affected Systems

Products:

properties-reader npm package

Versions: All versions before 2.2.0

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when parsing malicious .properties files, regardless of configuration.

📦 What is this software?

Properties Reader by Properties Reader Project

View all CVEs affecting Properties Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service through application crashes or unexpected behavior modification.

🟢

If Mitigated

Limited impact if input validation and sandboxing prevent prototype pollution exploitation.

🌐 Internet-Facing: HIGH - Web applications parsing user-supplied .properties files are directly exposed.

🏢 Internal Only: MEDIUM - Internal tools using this package could be exploited through malicious configuration files.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept exploit code is publicly available in GitHub issues. Exploitation requires the application to parse attacker-controlled .properties files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.0

Vendor Advisory: https://github.com/steveukx/properties/commit/0877cc871db9865f58dd9389ce99e61be05380a5

Restart Required: Yes

Instructions:

1. Update package.json to specify 'properties-reader': '>=2.2.0'. 2. Run 'npm update properties-reader' or 'yarn upgrade properties-reader'. 3. Restart all Node.js applications using this package.

🔧 Temporary Workarounds

Input validation for .properties files

all

Validate and sanitize all .properties file inputs before parsing

Use Object.freeze() on prototypes

all

Freeze Object.prototype to prevent prototype pollution

Object.freeze(Object.prototype);

🧯 If You Can't Patch

Implement strict input validation for all .properties file sources
Isolate the vulnerable component in a sandboxed environment with limited permissions

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list properties-reader' to see installed version

Check Version:

npm list properties-reader | grep properties-reader

Verify Fix Applied:

Confirm version is 2.2.0 or higher with 'npm list properties-reader'

📡 Detection & Monitoring

Log Indicators:

Unexpected application crashes when parsing .properties files
Unusual prototype property modifications in application logs

Network Indicators:

HTTP requests with malicious .properties file uploads
Unusual file upload patterns to endpoints accepting .properties files

SIEM Query:

source="application.logs" AND ("prototype pollution" OR "properties-reader" OR ".properties file parse error")

📊 Metadata

CVE ID: CVE-2020-28471

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-1321

Published: July 25, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/steveukx/properties/commit/0877cc871db9865f58dd9389ce99e61be05380a5 Patch,Third Party Advisory
https://github.com/steveukx/properties/issues/40 Exploit,Issue Tracking,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-PROPERTIESREADER-1048968 Exploit,Third Party Advisory
https://github.com/steveukx/properties/commit/0877cc871db9865f58dd9389ce99e61be05380a5 Patch,Third Party Advisory
https://github.com/steveukx/properties/issues/40 Exploit,Issue Tracking,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-PROPERTIESREADER-1048968 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28471, you might also want to check these: