CVE-2020-5258

Q: What is the severity of CVE-2020-5258?

CVE-2020-5258 has a CVSS score of 7.7 (HIGH). CVE-2020-5258 is a prototype pollution vulnerability in the Dojo Toolkit's deepCopy method that allows attackers to inject malicious properties into JavaScript object prototypes. This affects applications using vulnerable versions of the dojo NPM package, potentially leading to denial of service, remote code execution, or privilege escalation.

7.7 HIGH

Remote Code Execution Denial of Service

📋 TL;DR

CVE-2020-5258 is a prototype pollution vulnerability in the Dojo Toolkit's deepCopy method that allows attackers to inject malicious properties into JavaScript object prototypes. This affects applications using vulnerable versions of the dojo NPM package, potentially leading to denial of service, remote code execution, or privilege escalation.

💻 Affected Systems

Products:

Dojo Toolkit
Applications using dojo NPM package

Versions: All versions before 1.12.8, 1.13.7, 1.14.6, 1.15.3, and 1.16.2

Operating Systems: All platforms running Node.js or web browsers

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using the vulnerable deepCopy method with untrusted input is affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or persistent backdoor installation.

🟠

Likely Case

Denial of service, application crashes, or privilege escalation within the affected application.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only causing application instability.

🌐 Internet-Facing: HIGH - Web applications using dojo are directly exposed to attack vectors through user input.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires attacker-controlled input to the deepCopy method, which is common in web applications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.12.8, 1.13.7, 1.14.6, 1.15.3, or 1.16.2

Vendor Advisory: https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2

Restart Required: Yes

Instructions:

1. Identify dojo version in package.json. 2. Update to patched version: npm update dojo@^1.12.8 or appropriate version. 3. Restart application. 4. Test functionality.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation for all data passed to deepCopy method

Object.freeze on prototypes

all

Freeze Object.prototype to prevent pollution

Object.freeze(Object.prototype);

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user inputs
Use alternative libraries or custom implementations instead of vulnerable deepCopy method

🔍 How to Verify

Check if Vulnerable:

Check package.json for dojo version: grep -i dojo package.json

Check Version:

npm list dojo

Verify Fix Applied:

Verify installed version: npm list dojo | grep dojo

📡 Detection & Monitoring

Log Indicators:

Unexpected application crashes
Unusual prototype property modifications
Memory usage spikes

Network Indicators:

Malformed JSON payloads to APIs using deepCopy
Suspicious property names in requests

SIEM Query:

source="application_logs" AND ("deepCopy" OR "prototype") AND (error OR crash)

📊 Metadata

CVE ID: CVE-2020-5258

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-94

Published: March 10, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d Patch,Third Party Advisory
https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2 Exploit,Third Party Advisory
https://lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7a9cd78eac33a1b%40%3Cusers.qpid.apache.org%3E
https://lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b01b1a6df326fd3%40%3Cusers.qpid.apache.org%3E
https://lists.apache.org/thread.html/rf481b3f25f05c52ba4e24991a941c1a6e88d281c6c9360a806554d00%40%3Cusers.qpid.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html Mailing List,Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory
https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d Patch,Third Party Advisory
https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2 Exploit,Third Party Advisory
https://lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7a9cd78eac33a1b%40%3Cusers.qpid.apache.org%3E
https://lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b01b1a6df326fd3%40%3Cusers.qpid.apache.org%3E
https://lists.apache.org/thread.html/rf481b3f25f05c52ba4e24991a941c1a6e88d281c6c9360a806554d00%40%3Cusers.qpid.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html Mailing List,Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Communications Application Session Controller by Oracle

Communications Policy Management by Oracle

Communications Pricing Design Center by Oracle

Debian Linux by Debian

Documaker by Oracle

Dojo by Linuxfoundation

Dojo by Linuxfoundation

Dojo by Linuxfoundation

Dojo by Linuxfoundation

Dojo by Linuxfoundation

Dojo by Linuxfoundation

Mysql by Oracle

Mysql by Oracle

Mysql by Oracle

Mysql by Oracle

Mysql by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Webcenter Sites by Oracle

Webcenter Sites by Oracle

Weblogic Server by Oracle

Weblogic Server by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input validation and sanitization

Object.freeze on prototypes

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities