CVE-2020-7715 – CVE-2020-7715 is a prototype pollution vulnerab... (How to Fix)

Q: What is the severity of CVE-2020-7715?

CVE-2020-7715 has a CVSS score of 9.8 (CRITICAL). CVE-2020-7715 is a prototype pollution vulnerability in the deep-get-set npm package that allows attackers to modify object prototypes, potentially leading to denial of service, remote code execution, or privilege escalation. Any application using this package is affected, particularly Node.js applications that process untrusted user input. The vulnerability exists in all versions of the package.

📋 TL;DR

CVE-2020-7715 is a prototype pollution vulnerability in the deep-get-set npm package that allows attackers to modify object prototypes, potentially leading to denial of service, remote code execution, or privilege escalation. Any application using this package is affected, particularly Node.js applications that process untrusted user input. The vulnerability exists in all versions of the package.

💻 Affected Systems

Products:

deep-get-set npm package

Versions: All versions before 1.1.2

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any Node.js application using deep-get-set with untrusted input is vulnerable regardless of configuration.

📦 What is this software?

Deep Get Set by Deep Get Set Project

View all CVEs affecting Deep Get Set →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service, application crashes, or unauthorized data manipulation through prototype pollution.

🟢

If Mitigated

Limited impact if input validation and sanitization are implemented, though the core vulnerability remains.

🌐 Internet-Facing: HIGH - Web applications using this package with user input are directly exposed.

🏢 Internal Only: MEDIUM - Internal applications could be exploited through authenticated users or lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires attacker-controlled input to the vulnerable function. Public proof-of-concept code exists demonstrating prototype pollution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.2

Vendor Advisory: https://www.npmjs.com/advisories/1321

Restart Required: Yes

Instructions:

1. Update package.json to specify 'deep-get-set': '^1.1.2'. 2. Run 'npm update deep-get-set'. 3. Restart the application. 4. Test functionality.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to prevent malicious payloads from reaching the deep-get-set function.

Object.freeze on Object.prototype

all

Prevent prototype pollution by freezing Object.prototype (may break legitimate functionality).

Object.freeze(Object.prototype)

🧯 If You Can't Patch

Remove deep-get-set dependency and replace with alternative libraries like lodash.get
Implement strict input validation and sanitization for all user inputs

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list deep-get-set' to see if version is below 1.1.2.

Check Version:

npm list deep-get-set

Verify Fix Applied:

Verify package.json specifies 'deep-get-set': '^1.1.2' and 'npm list deep-get-set' shows version 1.1.2 or higher.

📡 Detection & Monitoring

Log Indicators:

Unexpected application crashes
Unusual prototype modifications in logs
Error messages related to object property access

Network Indicators:

Unusual HTTP requests with crafted payloads targeting deep-get-set functionality

SIEM Query:

source='application.log' AND (message LIKE '%deep-get-set%' OR message LIKE '%prototype%' OR message LIKE '%unexpected property%')

📊 Metadata

CVE ID: CVE-2020-7715

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

Published: September 1, 2020

Last Updated: November 21, 2024

🔗 References

https://snyk.io/vuln/SNYK-JS-DEEPGETSET-598666 Exploit,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-DEEPGETSET-598666 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-7715, you might also want to check these: