VYPR
← All advisories
High severityNVD Advisory· Published Nov 10, 2020· Updated Aug 4, 2024

CVE-2020-28267

CVE-2020-28267

Description

Prototype pollution in @strikeentco/set 1.0.0 allows attackers to cause denial of service or potentially achieve remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype pollution in @strikeentco/set 1.0.0 allows attackers to cause denial of service or potentially achieve remote code execution.

Vulnerability

CVE-2020-28267 describes a prototype pollution vulnerability in the npm package @strikeentco/set version 1.0.0. The package is designed to set nested values on an object using a dot path or custom separator. Prototype pollution occurs when an attacker can inject properties into the base object's prototype, allowing them to modify the behavior of all objects in the application. The commit diff [1] shows that the package was updated to version 1.0.1, likely to address this issue, though the specific fix is not detailed in the reference.

Exploitation

An attacker can exploit this vulnerability by supplying a crafted path or value that pollutes the prototype of the object. The attack does not require prior authentication, as the vulnerable function may be exposed to user input. Any application using set() with untrusted input could be affected [3]. The attack surface includes any endpoint or component that passes user-controlled path or value parameters to the set function.

Impact

Successful exploitation can lead to denial of service (DoS) by causing unexpected behavior or crashes. More critically, prototype pollution can enable remote code execution (RCE) if the polluted property affects subsequent code execution paths, such as setting a property that influences command injection or other dangerous operations [2]. The CVSS score is not specified, but the combination of DoS and potential RCE elevates the severity.

Mitigation

The vulnerability is patched in version 1.0.1 of @strikeentco/set [1]. Users should update their dependencies to the latest version. There is no evidence that this vulnerability is exploited in the wild or listed in CISA's Known Exploited Vulnerabilities catalog. As a general practice, developers should avoid passing untrusted input to functions that modify object properties without proper sanitization.

References
  1. 1.0.1 · strikeentco/set@102cc6b
  2. NVD - CVE-2020-28267
  3. GitHub - strikeentco/set: Set nested values on an object using a dot path or custom separator

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@strikeentco/setnpm
>= 1.0.0, < 1.0.11.0.1

Affected products

2

Patches

1
102cc6b2e1d1

1.0.1

https://github.com/strikeentco/setAlexey BystrovOct 29, 2020via ghsa
commit
7 files changed · +2839 3951
  • LICENSE+1 1 modified
    @@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2018 Alexey Bystrov
+Copyright (c) 2018-present Alexey Bystrov
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
  • main.js+18 1 modified
    @@ -1,22 +1,39 @@
 'use strict';
 
-const isObject = val => typeof val === 'object' || typeof val === 'function';
+/* eslint-disable no-continue */
+
+const isObject = (val) => typeof val === 'object' || typeof val === 'function';
+const isProto = (val, obj) => val === '__proto__' || (val === 'constructor' && typeof obj.constructor === 'function');
 const set = (obj, parts, length, val) => {
   let tmp = obj;
   let i = 0;
   for (; i < length - 1; i++) {
     const part = parts[i];
+    if (isProto(part, tmp)) {
+      continue;
+    }
     tmp = !isObject(tmp[part]) ? tmp[part] = {} : tmp[part];
   }
   tmp[parts[i]] = val;
   return obj;
 };
 
+/**
+* Sets nested values on an object using a dot path or custom separator
+* @param {Object} obj
+* @param {String|Array} path
+* @param {Any} val
+* @param {String} [sep = '.']
+* @returns {Object}
+*/
 module.exports = (obj, path, val, sep = '.') => {
   if (!isObject(obj) || !path || !path.length) {
     return obj;
   }
   const parts = Array.isArray(path) ? path : String(path).split(sep);
+  if (isProto(parts[0], obj)) {
+    return obj;
+  }
   const { length } = parts;
   if (length === 1) {
     obj[parts[0]] = val;
  • package.json+11 11 modified
    @@ -1,7 +1,7 @@
 {
   "name": "@strikeentco/set",
   "author": "Alexey Bystrov <strikeentco@gmail.com>",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Set nested values on an object using a dot path or custom separator",
   "engines": {
     "node": ">=6.0.0"
@@ -37,9 +37,9 @@
   ],
   "scripts": {
     "test": "mocha test",
-    "lint": "eslint main.js",
+    "lint": "npx eslint main.js",
     "check": "npm run lint && npm run test",
-    "cover": "nyc ./node_modules/mocha/bin/_mocha && nyc report --reporter=html",
+    "cover": "nyc ./node_modules/mocha/bin/_mocha && nyc report --reporter=html --reporter=json-summary",
     "test-on-travis": "nyc ./node_modules/mocha/bin/_mocha && nyc report --reporter=lcovonly"
   },
   "repository": {
@@ -50,14 +50,14 @@
     "url": "https://github.com/strikeentco/set/issues"
   },
   "devDependencies": {
-    "eslint": "^4.18.1",
-    "eslint-config-airbnb": "^16.1.0",
-    "eslint-plugin-import": "^2.9.0",
-    "eslint-plugin-jsx-a11y": "^6.0.3",
-    "eslint-plugin-react": "^7.7.0",
-    "mocha": "^5.0.1",
-    "nyc": "^11.4.1",
-    "should": "^13.2.1"
+    "eslint": "^7.12.1",
+    "eslint-config-airbnb": "^18.2.0",
+    "eslint-plugin-import": "^2.22.1",
+    "eslint-plugin-jsx-a11y": "^6.4.1",
+    "eslint-plugin-react": "^7.21.5",
+    "mocha": "^8.2.0",
+    "nyc": "^15.1.0",
+    "should": "^13.2.3"
   },
   "license": "MIT"
 }
  • package-lock.json+2766 3933 modified
  • README.md+3 3 modified
    @@ -1,8 +1,8 @@
 set [![License](https://img.shields.io/npm/l/@strikeentco/set.svg)](https://github.com/strikeentco/set/blob/master/LICENSE)  [![npm](https://img.shields.io/npm/v/@strikeentco/set.svg)](https://www.npmjs.com/package/@strikeentco/set)
 ==========
-[![Build Status](https://travis-ci.org/strikeentco/set.svg)](https://travis-ci.org/strikeentco/set)  [![node](https://img.shields.io/node/v/@strikeentco/set.svg)](https://www.npmjs.com/package/@strikeentco/set) [![Test Coverage](https://api.codeclimate.com/v1/badges/450e530044d31f690dc5/test_coverage)](https://codeclimate.com/github/strikeentco/set/test_coverage) [![bitHound Score](https://www.bithound.io/github/strikeentco/set/badges/score.svg)](https://www.bithound.io/github/strikeentco/set)
+[![Build Status](https://travis-ci.org/strikeentco/set.svg)](https://travis-ci.org/strikeentco/set)  [![node](https://img.shields.io/node/v/@strikeentco/set.svg)](https://www.npmjs.com/package/@strikeentco/set) [![Test Coverage](https://api.codeclimate.com/v1/badges/450e530044d31f690dc5/test_coverage)](https://codeclimate.com/github/strikeentco/set/test_coverage)
 
-One of the smallest (*24 sloc*) and most effective implementations of setting a nested value on an object.
+One of the smallest (*31 sloc*) and most effective implementations of setting a nested value on an object.
 
 # Usage
 
@@ -41,4 +41,4 @@ set({ a: { b: 'c' } }, 'a:b', 'd', ':');
 ## License
 
 The MIT License (MIT)<br/>
-Copyright (c) 2018 Alexey Bystrov
+Copyright (c) 2018-present Alexey Bystrov
  • test.js+38 0 modified
    @@ -106,4 +106,42 @@ describe('set', () => {
     set(o, 'a.b', date);
     should(o.a.b.getTime()).be.eql(date.getTime());
   });
+
+  it('should not indirectly set Object properties', () => {
+    const o = {};
+    set(o, 'constructor.a', 1);
+    should(o.constructor.a).be.eql(undefined);
+
+    set(o, ['constructor', 'b'], 1);
+    should(o.constructor.b).be.eql(undefined);
+  });
+
+  it('should not indirectly set Object properties', () => {
+    const o = {};
+    set(o, '__proto__.a', 1);
+    should(o.a).be.eql(undefined);
+
+    set(o, ['__proto__', 'b'], 1);
+    should(o.b).be.eql(undefined);
+  });
+
+  it('should not indirectly set Object properties', () => {
+    const o = {};
+    const ob = { o };
+    set(o, 'ob.constructor.a', 1);
+    should(ob.a).be.eql(undefined);
+
+    set(o, ['ob.constructor', 'b'], 1);
+    should(ob.b).be.eql(undefined);
+  });
+
+  it('should not indirectly set Object properties', () => {
+    const o = {};
+    const ob = { o };
+    set(o, 'ob.__proto__.a', 1);
+    should(ob.a).be.eql(undefined);
+
+    set(o, ['ob.__proto__', 'b'], 1);
+    should(ob.b).be.eql(undefined);
+  });
 });
  • .travis.yml+2 2 modified
    @@ -1,7 +1,7 @@
 language: node_js
 node_js:
-  - "8"
-  - "6"
+  - "12"
+  - "10"
 before_script:
   - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
   - chmod +x ./cc-test-reporter

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.