Login Sign Up

CVE-2020-7707

9.8 CRITICAL

📋 TL;DR

CVE-2020-7707 is a prototype pollution vulnerability in property-expr package versions before 2.0.3. Attackers can inject malicious properties into JavaScript objects, potentially leading to remote code execution or denial of service. This affects any application using vulnerable versions of the property-expr library.

💻 Affected Systems

Products:
  • property-expr
  • applications using property-expr library
Versions: All versions before 2.0.3
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any application that uses the setter function from property-expr with untrusted input is vulnerable.

📦 What is this software?

Property Expr by Property Expr Project

View all CVEs affecting Property Expr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service, privilege escalation, or data manipulation through object pollution.

🟢

If Mitigated

Limited impact if input validation and sanitization prevent malicious payloads from reaching vulnerable functions.

🌐 Internet-Facing: HIGH - Web applications using this library are directly exposed to exploitation attempts.
🏢 Internal Only: MEDIUM - Internal applications could be exploited through authenticated attacks or supply chain compromises.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the application to process attacker-controlled input through the vulnerable setter function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.3 and later

Vendor Advisory: https://github.com/jquense/expr/commit/df846910915d59f711ce63c1f817815bceab5ff7

Restart Required: Yes

Instructions:

1. Update property-expr to version 2.0.3 or later using npm update property-expr. 2. Restart all affected applications. 3. Verify no dependencies are pulling in older versions.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to prevent malicious payloads from reaching the setter function.

🧯 If You Can't Patch

  • Implement WAF rules to block prototype pollution payloads in HTTP requests.
  • Isolate affected applications in network segments with strict access controls.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run npm list property-expr to see if version is below 2.0.3.

Check Version:

npm list property-expr | grep property-expr

Verify Fix Applied:

Confirm property-expr version is 2.0.3 or higher using npm list property-expr.

📡 Detection & Monitoring

Log Indicators:

  • Unusual object property modifications
  • Unexpected prototype chain alterations
  • Application crashes related to object manipulation

Network Indicators:

  • HTTP requests containing __proto__ or constructor payloads
  • Unusual patterns in API calls to object manipulation endpoints

SIEM Query:

search 'property-expr' OR 'prototype pollution' in application logs

📊 Metadata

CVE ID: CVE-2020-7707
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
Published: August 18, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-7707, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)