Plattform
nodejs
Komponente
object-path
Behoben in
0.11.6
0.11.5
CVE-2020-15256 describes a prototype pollution vulnerability affecting the object-path library. This flaw, present in versions 0.11.4 and earlier, allows attackers to modify inherited properties of objects through the set() method when includeInheritedProps is enabled. This can lead to unexpected behavior or potentially arbitrary code execution. The vulnerability is fixed in version 0.11.5.
Successful exploitation of CVE-2020-15256 can allow an attacker to inject malicious properties into the prototypes of JavaScript objects. This can lead to denial-of-service conditions, unexpected application behavior, or even remote code execution, depending on how the affected application utilizes these objects. The impact is particularly severe if the application relies on these prototypes for security checks or data validation. Prototype pollution vulnerabilities, like this one, can be difficult to detect and can have far-reaching consequences.
CVE-2020-15256 was published on October 19, 2020. Public proof-of-concept exploits are available, demonstrating the feasibility of exploitation. The vulnerability is not currently listed on KEV or EPSS, suggesting a moderate probability of exploitation in the wild. It's important to note that prototype pollution vulnerabilities are often difficult to detect in production environments.
Exploit-Status
EPSS
0.16% (37% Perzentil)
CVSS-Vektor
The recommended mitigation for CVE-2020-15256 is to upgrade the object-path package to version 0.11.5 or later. If an immediate upgrade is not possible, disable the includeInheritedProps option by creating a new instance of object-path without setting this option or by using the default withInheritedProps instance. Consider implementing input validation and sanitization to prevent malicious data from being passed to the set() method. After upgrading, verify the fix by attempting to pollute the prototype with a malicious property; the operation should fail.
Actualice la biblioteca object-path a la versión 0.11.5 o superior. Si no puede actualizar, evite usar la opción `includeInheritedProps: true` o la instancia `withInheritedProps` en versiones mayores o iguales a 0.11.0. Si está utilizando una versión anterior a 0.11.0, la única solución es actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Prototype pollution occurs when the prototype of an object is modified, affecting all instances of that object. This can lead to unexpected behavior and security issues.
Check the version of object-path in your project. If it's less than or equal to 0.11.4, you're using a vulnerable version.
If you are using withInheritedProps, it's crucial to update to version 0.11.5 or higher. If you can't update, consider disabling this functionality.
Perform a thorough security audit to identify any damage caused by the vulnerability. Implement additional security measures to prevent future attacks.
Consult the CVE-2020-15256 entry in vulnerability databases such as the National Vulnerability Database (NVD).
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.