CVE-2020-28269
Description
Prototype pollution vulnerability in the 'field' npm package (versions 0.0.1 to 1.0.1) can lead to denial of service and potentially remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution vulnerability in the 'field' npm package (versions 0.0.1 to 1.0.1) can lead to denial of service and potentially remote code execution.
Vulnerability
Overview
The field npm package, versions 0.0.1 through 1.0.1, contains a prototype pollution vulnerability. The library's set function (see lib/field.js line 39 [2]) recursively assigns nested properties without checking for __proto__, constructor, or prototype keys. This allows an attacker to inject properties into Object.prototype [1].
Exploitation
An attacker can exploit this by supplying a crafted object path that includes __proto__ or constructor.prototype as a key. When the application uses field to set a value based on user input, the prototype becomes polluted. No authentication is required if the input is exposed to untrusted users [3].
Impact
Successful prototype pollution can cause denial of service by breaking object iteration or triggering infinite loops. More critically, it may lead to remote code execution if the polluted property influences security-sensitive operations (e.g., property access in template engines or event handlers) [1][3].
Mitigation
The field repository has been archived and is no longer maintained. Users should migrate to an alternative library that properly sanitizes keys. No official patch is available for this vulnerability [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fieldnpm | >= 0.0.1, <= 1.0.1 | — |
Affected products
2- field/fielddescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-hm82-qr45-h7mwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28269ghsaADVISORY
- github.com/jprichardson/field/blob/2a3811dfc4cdd13833977477d2533534fc61ce06/lib/field.jsghsax_refsource_MISCWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28269ghsax_refsource_MISCWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28269,ghsaWEB
News mentions
0No linked articles in our index yet.