Login Sign Up

CVE-2020-8268

7.5 HIGH

📋 TL;DR

This is a prototype pollution vulnerability in the json8-merge-patch npm package that allows attackers to modify JavaScript object prototypes. Applications using vulnerable versions of this package are affected, potentially leading to remote code execution or privilege escalation.

💻 Affected Systems

Products:
  • json8-merge-patch npm package
Versions: All versions < 1.0.3
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using json8-merge-patch for JSON merging operations is vulnerable.

📦 What is this software?

Json8 Merge Patch by Json8 Merge Patch Project

View all CVEs affecting Json8 Merge Patch →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Privilege escalation, unauthorized data access, or denial of service through application manipulation.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented, potentially only causing application crashes.

🌐 Internet-Facing: HIGH - Web applications using this package are directly exposed to exploitation via user input.
🏢 Internal Only: MEDIUM - Internal applications could be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting malicious JSON input that triggers prototype pollution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.3

Vendor Advisory: https://github.com/sonnyp/JSON8/security/advisories/GHSA-9c6c-wf6q-7c4h

Restart Required: Yes

Instructions:

1. Update package.json to specify json8-merge-patch version 1.0.3 or higher. 2. Run 'npm update json8-merge-patch'. 3. Restart all Node.js applications using this package.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation to reject malformed JSON objects before processing.

Package Lock

all

Use npm audit fix to automatically update vulnerable dependencies.

npm audit fix

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to block malicious JSON payloads.
  • Isolate affected applications in network segments with restricted access.

🔍 How to Verify

Check if Vulnerable:

Check package.json for json8-merge-patch version < 1.0.3 or run 'npm list json8-merge-patch'.

Check Version:

npm list json8-merge-patch | grep json8-merge-patch

Verify Fix Applied:

Confirm json8-merge-patch version is 1.0.3 or higher using 'npm list json8-merge-patch'.

📡 Detection & Monitoring

Log Indicators:

  • Unusual JSON parsing errors
  • Application crashes during JSON processing
  • Suspicious prototype modification attempts

Network Indicators:

  • Malformed JSON payloads in HTTP requests
  • Unexpected object property modifications

SIEM Query:

source="application_logs" AND ("json8-merge-patch" OR "prototype pollution")

📊 Metadata

CVE ID: CVE-2020-8268
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-471
Published: November 9, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-8268, you might also want to check these:

CVE-2020-8147 9.8

CVE-2020-8147 is a prototype pollution vulnerability in the utils-extend npm package that allows att...

Same vulnerability type (CWE-471)
CVE-2020-8158 9.8

CVE-2020-8158 is a prototype pollution vulnerability in TypeORM that allows attackers to modify Java...

Same vulnerability type (CWE-471)
CVE-2022-21824 8.2

This CVE describes a prototype pollution vulnerability in Node.js's console.table() function when us...

Same vulnerability type (CWE-471)