Platform
nodejs
Component
object-path
Fixed in
0.11.6
0.11.5
CVE-2020-15256 describes a prototype pollution vulnerability affecting the object-path library. This flaw, present in versions 0.11.4 and earlier, allows attackers to modify inherited properties of objects through the set() method when includeInheritedProps is enabled. This can lead to unexpected behavior or potentially arbitrary code execution. The vulnerability is fixed in version 0.11.5.
A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. An attacker could exploit this vulnerability to modify properties on object prototypes, potentially leading to unexpected behavior or even malicious code execution if the affected object is used in sensitive operations. The CVSS severity is 7.7, indicating a high risk.
Exploitation of this vulnerability requires control over the input provided to the set() method while in includeInheritedProps mode. An attacker could inject malicious data that modifies object prototypes, potentially affecting other parts of the application that use those objects. The difficulty of exploitation depends on the attacker's ability to control the input and the complexity of the application. The vulnerability is more critical in applications that use object-path to manipulate sensitive data or that run in elevated privilege environments.
Exploit Status
EPSS
0.16% (37% percentile)
CVSS Vector
The solution to this vulnerability is to update the object-path library to version 0.11.5 or higher. If an immediate update is not possible, it is recommended to disable the includeInheritedProps mode by avoiding the creation of instances with includeInheritedProps: true and using the default withInheritedProps instance only if absolutely necessary. It's crucial to review code utilizing object-path to identify and mitigate any potential prototype pollution impacts. Thorough testing after applying any mitigation is recommended to ensure system functionality and vulnerability resolution. Monitoring system logs can help detect exploitation attempts.
Update the object-path library to version 0.11.5 or higher. If you cannot update, avoid using the `includeInheritedProps: true` option or the `withInheritedProps` instance in versions greater than or equal to 0.11.0. If you are using a version prior to 0.11.0, the only solution is to update.
Vulnerability analysis and critical alerts directly to your inbox.
Prototype pollution occurs when the prototype of an object is modified, affecting all instances of that object. This can lead to unexpected behavior and security issues.
Check the version of object-path in your project. If it's less than or equal to 0.11.4, you're using a vulnerable version.
If you are using withInheritedProps, it's crucial to update to version 0.11.5 or higher. If you can't update, consider disabling this functionality.
Perform a thorough security audit to identify any damage caused by the vulnerability. Implement additional security measures to prevent future attacks.
Consult the CVE-2020-15256 entry in vulnerability databases such as the National Vulnerability Database (NVD).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.