Critical severityOSV Advisory· Published Nov 12, 2020· Updated Aug 4, 2024
CVE-2020-28270
CVE-2020-28270
Description
Prototype pollution in object-hierarchy-access allows attackers to pollute Object.prototype via __proto__ property, leading to denial of service and potential remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in object-hierarchy-access allows attackers to pollute Object.prototype via __proto__ property, leading to denial of service and potential remote code execution.
Vulnerability
Overview
The object-hierarchy-access library (versions 0.2.0 through 0.32.0) provides functions to get and set values on nested object properties. The vulnerability arises because the library does not sanitize property names, allowing an attacker to use the special __proto__ property to pollute the global Object.prototype. This is a classic prototype pollution vulnerability [1][2].
Exploitation
An attacker can exploit this by supplying a crafted property path that includes __proto__ as a key when calling the set function. For example, set(obj, '__proto__', 'polluted', value) would set Object.prototype.polluted to the attacker-controlled value. No authentication is required if the library processes user-supplied data, making it accessible from untrusted inputs [1][3].
Impact
Successful prototype pollution can lead to denial of service by overriding built-in methods or properties on all objects. In some environments, it may also enable remote code execution if combined with other gadgets that rely on prototype properties. The official description notes both denial of service and potential remote code execution [2].
Mitigation
The issue was fixed in commit 7b1aa134a8bc4a376296bcfac5c3463aef2b7572, which adds a check to prevent assigning values to __proto__ when the current object's prototype is Object.prototype. Users should update to a patched version of the library [3].
References
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
object-hierarchy-accessnpm | >= 0.2.0, < 0.33.0 | 0.33.0 |
Affected products
2- Range: v0.10.0, v0.11.0, v0.12.0, …
Patches
17b1aa134a8bcfix(setup): prevent assigning value to `__proto__`
7 files changed · +38 −5
built/setup.js+6 −1 modified@@ -1,12 +1,17 @@ import { normalizeDescriptor } from './utility/setup'; import { getNonEmptyPropName } from './utility/common'; +const propProto = '__proto__'; function generate(target, hierarchies, forceOverride) { let current = target; hierarchies.forEach(info => { const descriptor = normalizeDescriptor(info); const { value, type, create, override, created, skipped, got } = descriptor; const name = getNonEmptyPropName(current, descriptor); - if (forceOverride || override || !current[name] || typeof current[name] !== 'object') { + if (forceOverride || + override || + !current[name] || + typeof current[name] !== 'object' || + (name === propProto && current[name] === Object.prototype)) { const obj = value ? value : type ? new type() : create ? create.call(current, current, name) :
dist/index.esm.js+6 −1 modified@@ -73,13 +73,18 @@ function getPropNames(current, descriptor) { return getOwnEnumerablePropKeys(current); } +const propProto = '__proto__'; function generate(target, hierarchies, forceOverride) { let current = target; hierarchies.forEach(info => { const descriptor = normalizeDescriptor(info); const { value, type, create, override, created, skipped, got } = descriptor; const name = getNonEmptyPropName(current, descriptor); - if (forceOverride || override || !current[name] || typeof current[name] !== 'object') { + if (forceOverride || + override || + !current[name] || + typeof current[name] !== 'object' || + (name === propProto && current[name] === Object.prototype)) { const obj = value ? value : type ? new type() : create ? create.call(current, current, name) :
dist/index.js+6 −1 modified@@ -79,13 +79,18 @@ return getOwnEnumerablePropKeys(current); } + var propProto = '__proto__'; function generate(target, hierarchies, forceOverride) { var current = target; hierarchies.forEach(function (info) { var descriptor = normalizeDescriptor(info); var value = descriptor.value, type = descriptor.type, create = descriptor.create, override = descriptor.override, created = descriptor.created, skipped = descriptor.skipped, got = descriptor.got; var name = getNonEmptyPropName(current, descriptor); - if (forceOverride || override || !current[name] || typeof current[name] !== 'object') { + if (forceOverride || + override || + !current[name] || + typeof current[name] !== 'object' || + (name === propProto && current[name] === Object.prototype)) { var obj = value ? value : type ? new type() : create ? create.call(current, current, name) :
dist/index.min.js+1 −1 modified@@ -1 +1 @@ -!function(r,e){"object"==typeof exports&&"undefined"!=typeof module?e(exports):"function"==typeof define&&define.amd?define(["exports"],e):e((r="undefined"!=typeof globalThis?globalThis:r||self).ObjectHierarchyAccess={})}(this,(function(r){"use strict";function e(r){return Array.isArray(r)||r instanceof Array}function n(r){return"object"==typeof r&&null!==r}function t(r){var e=Object.keys(r);if(Object.getOwnPropertySymbols){var n=Object.getOwnPropertySymbols(r).filter((function(e){var n=Object.getOwnPropertyDescriptor(r,e);return n&&n.enumerable}));n.length&&e.push.apply(e,n)}return e}function a(r){return e(r)?[]:n(r)?{}:r}function u(r,e){var n=e.name,t=e.getName;return n!==undefined?n:t?t.call(r,r):void 0}function o(r,n){var a=n.names,u=n.getNames;if(a!==undefined)return e(a)?a:[a];if(u){var o=u.call(r,r);if(o!==undefined)return e(o)?o:[o]}return t(r)}function f(r,e,n){var t=r;return e.forEach((function(r){var e=function(r){return"object"==typeof r&&null!==r?r:"function"==typeof r?{getName:r,value:{}}:{name:r,value:{}}}(r),a=e.value,o=e.type,f=e.create,i=e.override,c=e.created,l=e.skipped,p=e.got,v=function(r,e){var n=u(r,e);return n!==undefined?n:"undefined"}(t,e);if(n||i||!t[v]||"object"!=typeof t[v]){var h=a||(o?new o:f?f.call(t,t,v):{});t[v]=h,c&&c.call(t,t,v,h)}else l&&l.call(t,t,v,t[v]);var s=t;t=t[v],p&&p.call(s,s,v,t)})),t}function i(r,e){return f(r,e)}function c(r,e){var n=f(r,e.slice(0,-1));return{current:n,last:f(n,e.slice(-1),!0)}}function l(r){var e=r[r.length-1],n=Array.prototype.concat.apply([],r.slice(0,-1));return{hierarchies:n.slice(0,-1),prop:n[n.length-1],value:e}}function p(r){return Array.prototype.concat.apply([],r)}function v(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=p(e),a=r||{};return c(a,t),a}function h(r){return"object"==typeof r?r:"function"==typeof r?{getValue:r}:{name:r}}function s(r,e){var n,t=e.getValue,a=u(r,e);a!==undefined?n=r[a]:(a="undefined",t&&(n=t.call(r,r)));var o=e.got;return o&&o.call(r,r,a,n),{name:a,value:n}}function y(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=Array.prototype.concat.apply([],e),a=r;return a!==undefined&&null!==a&&t.every((function(r){var e=h(r),n=s(a,e).value;return a=n})),a}function d(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];if(r===undefined||null===r)return!1;for(var t=Array.prototype.concat.apply([],e),a=r,u=0;u<t.length;u++){var o=t[u];if(!a||!(o in a))return!1;a=a[o]}return!0}function g(r){var e=r[r.length-1];return{hierarchies:Array.prototype.concat.apply([],r.slice(0,-1)),callback:e}}function m(r){return e(r)?{names:r}:"object"==typeof r&&null!==r?r:"function"==typeof r?{getNames:r}:{names:r}}function b(r,e,n){var t=n.got,a=n.mapName,u=n.mapValue,o=n.mapped,f=r[e];t&&t.call(r,r,e,f);var i=a?a.call(r,r,e,f):e,c=u?u.call(r,r,e,f):f;return o&&o.call(r,r,i,c),{mappedName:i,mappedValue:c}}function j(r,e,n,t){var u=m(n[t]),f=o(r,u),i=n.length-1;f.forEach((function(o){if(o in r){var f=b(r,o,u),c=f.mappedName,l=f.mappedValue;e[c]=t<i?a(l):l,t<i&&"object"==typeof l&&null!==l&&j(l,e[c],n,t+1)}}))}function A(r,e,n,t){var a=m(n[t]),u=o(r,a),f=n.length-1;u.forEach((function(u){if(u in r){var o=b(r,u,a).mappedValue;t<f?A(o,e,n,t+1):e.push(o)}}))}function O(r){return"object"==typeof r&&null!==r?r:"function"==typeof r?{by:r}:{}}function k(r,e){var n=r.type,t=r.create;return n?new n:t?t.call(e,e):{}}function P(r,a){void 0===a&&(a=16);var u=[];if(n(r))for(var o=e(r)?Array:Object,f=[r],i=function(r){var a=Array,i=[];if(f.forEach((function(r){t(r).forEach((function(t){var u=r[t];n(u)&&(e(u)||(a=Object),i.push(u))}))})),u.push(o),!i.length)return"break";o=a,f=i},c=0;c<=a;c++){if("break"===i())break}return u}r.array2map=function(r,n,t){if(e(r)){for(var a={},u=0;u<r.length;u++){var o=r[u],f=y(o,n),i=y(o,t);a[f]=i}return a}},r.assign=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=l(e),a=t.hierarchies,u=t.prop,o=t.value,f=i(r,a);return f[u]=o,f},r.assignIfUndef=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=l(e),a=t.hierarchies,u=t.prop,o=t.value,f=i(r,a);return f[u]===undefined&&(f[u]=o),f},r.assignProp=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=p(e),a=c(r,t).current;return a},r.assignPropIfUndef=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=p(e),a=i(r,t.slice(0,-1));return i(a,t.slice(-1)),a},r.exist=d,r.get=y,r.group=function(r){for(var n=[],u=1;u<arguments.length;u++)n[u-1]=arguments[u];if(!n.length)return r;var o=Array.prototype.concat.apply([],n).map(O).filter((function(r){return r.by}));if(!o.length)return r;var f,i=o.length-1,c=t(r);return c.forEach((function(n){var t,u,c=r[n];o.forEach((function(o,l){var p=o.by;0===l?(f||(f=k(o,r)),t=f):(t[u]||(t[u]=k(o,r)),t=t[u]);var v=p.call(r,r,n,c);if(l!==i)u=v;else{t[v]||(t[v]=a(r));var h=t[v];e(h)?h.push(c):h[n]=c}}))})),f},r.map2array=function(r,e,n){if(r){var a=[];return t(r).forEach((function(t){var u,o=r[t],f="function"==typeof e?e.call(r,r,t,o):e,i="function"==typeof n?n.call(r,r,t,o):n;a.push(((u={})[f]=t,u[i]=o,u))})),a}},r.pick=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=[],a=r;return a!==undefined&&null!==a&&A(a,t,e,0),t},r.put=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=l(e),a=t.hierarchies,u=t.prop,o=t.value,f=i(r,a);return f[u]=o,o},r.putIfUndef=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=l(e),a=t.hierarchies,u=t.prop,o=t.value,f=i(r,a);return f[u]===undefined&&(f[u]=o),f[u]},r.putProp=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=p(e),a=c(r,t).last;return a},r.putPropIfUndef=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=p(e);return i(r,t)},r.redim=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];if(!r)return r;var a=Array.prototype.concat.apply([],e);if(!a.length)return r;var u=Math.min.apply(Math,a);if(!(u<0)){var o=Math.max.apply(Math,a),f=a.length-1,i=P(r,o);if(i.length&&!(o>=i.length)){var c=new i[a[0]],l=function e(r,n,u){if(u<=o)t(n).forEach((function(t){var a=u+1;d(n,t)&&e(r.concat(t),n[t],a)}));else{var l=a.map((function(e,t){return t<f?{name:r[e],type:i[a[t+1]]}:{name:r[e],value:n}}));v(c,l)}};return l([],r,0),c}}},r.select=function(r){for(var e,n=[],t=1;t<arguments.length;t++)n[t-1]=arguments[t];var u=r;return u!==undefined&&null!==u&&j(u,e=a(u),n,0),e},r.set=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=l(e),a=t.hierarchies,u=t.prop,o=t.value,f=r||{},c=i(f,a);return c[u]=o,f},r.setIfUndef=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=l(e),a=t.hierarchies,u=t.prop,o=t.value,f=r||{},c=i(f,a);return c[u]===undefined&&(c[u]=o),f},r.setProp=v,r.setPropIfUndef=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=p(e),a=r||{};return i(a,t),a},r.traverse=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=g(e),a=t.hierarchies,u=t.callback,o=r;o!==undefined&&null!==o&&a.every((function(r){var e=h(r),n=s(o,e),t=n.name,a=n.value,f=o;return o=a,!1!==u.call(f,f,t,o)}))},r.traverseReverse=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=g(e),a=t.hierarchies,u=t.callback,o=r;if(o!==undefined&&null!==o){var f=[];a.every((function(r){var e=h(r),n=s(o,e),t=n.name,a=n.value,u=o;return o=a,f.push({parent:u,name:t,current:o}),o}));for(var i=f.length-1;i>=0;i--){var c=f[i],l=u.call(c.parent,c.parent,c.name,c.current);if(!1===l)break}}},Object.defineProperty(r,"__esModule",{value:!0})})); +!function(r,e){"object"==typeof exports&&"undefined"!=typeof module?e(exports):"function"==typeof define&&define.amd?define(["exports"],e):e((r="undefined"!=typeof globalThis?globalThis:r||self).ObjectHierarchyAccess={})}(this,(function(r){"use strict";function e(r){return Array.isArray(r)||r instanceof Array}function n(r){return"object"==typeof r&&null!==r}function t(r){var e=Object.keys(r);if(Object.getOwnPropertySymbols){var n=Object.getOwnPropertySymbols(r).filter((function(e){var n=Object.getOwnPropertyDescriptor(r,e);return n&&n.enumerable}));n.length&&e.push.apply(e,n)}return e}function a(r){return e(r)?[]:n(r)?{}:r}function u(r,e){var n=e.name,t=e.getName;return n!==undefined?n:t?t.call(r,r):void 0}function o(r,n){var a=n.names,u=n.getNames;if(a!==undefined)return e(a)?a:[a];if(u){var o=u.call(r,r);if(o!==undefined)return e(o)?o:[o]}return t(r)}function f(r,e,n){var t=r;return e.forEach((function(r){var e=function(r){return"object"==typeof r&&null!==r?r:"function"==typeof r?{getName:r,value:{}}:{name:r,value:{}}}(r),a=e.value,o=e.type,f=e.create,c=e.override,i=e.created,l=e.skipped,p=e.got,v=function(r,e){var n=u(r,e);return n!==undefined?n:"undefined"}(t,e);if(n||c||!t[v]||"object"!=typeof t[v]||"__proto__"===v&&t[v]===Object.prototype){var h=a||(o?new o:f?f.call(t,t,v):{});t[v]=h,i&&i.call(t,t,v,h)}else l&&l.call(t,t,v,t[v]);var s=t;t=t[v],p&&p.call(s,s,v,t)})),t}function c(r,e){return f(r,e)}function i(r,e){var n=f(r,e.slice(0,-1));return{current:n,last:f(n,e.slice(-1),!0)}}function l(r){var e=r[r.length-1],n=Array.prototype.concat.apply([],r.slice(0,-1));return{hierarchies:n.slice(0,-1),prop:n[n.length-1],value:e}}function p(r){return Array.prototype.concat.apply([],r)}function v(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=p(e),a=r||{};return i(a,t),a}function h(r){return"object"==typeof r?r:"function"==typeof r?{getValue:r}:{name:r}}function s(r,e){var n,t=e.getValue,a=u(r,e);a!==undefined?n=r[a]:(a="undefined",t&&(n=t.call(r,r)));var o=e.got;return o&&o.call(r,r,a,n),{name:a,value:n}}function y(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=Array.prototype.concat.apply([],e),a=r;return a!==undefined&&null!==a&&t.every((function(r){var e=h(r),n=s(a,e).value;return a=n})),a}function d(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];if(r===undefined||null===r)return!1;for(var t=Array.prototype.concat.apply([],e),a=r,u=0;u<t.length;u++){var o=t[u];if(!a||!(o in a))return!1;a=a[o]}return!0}function g(r){var e=r[r.length-1];return{hierarchies:Array.prototype.concat.apply([],r.slice(0,-1)),callback:e}}function m(r){return e(r)?{names:r}:"object"==typeof r&&null!==r?r:"function"==typeof r?{getNames:r}:{names:r}}function b(r,e,n){var t=n.got,a=n.mapName,u=n.mapValue,o=n.mapped,f=r[e];t&&t.call(r,r,e,f);var c=a?a.call(r,r,e,f):e,i=u?u.call(r,r,e,f):f;return o&&o.call(r,r,c,i),{mappedName:c,mappedValue:i}}function j(r,e,n,t){var u=m(n[t]),f=o(r,u),c=n.length-1;f.forEach((function(o){if(o in r){var f=b(r,o,u),i=f.mappedName,l=f.mappedValue;e[i]=t<c?a(l):l,t<c&&"object"==typeof l&&null!==l&&j(l,e[i],n,t+1)}}))}function A(r,e,n,t){var a=m(n[t]),u=o(r,a),f=n.length-1;u.forEach((function(u){if(u in r){var o=b(r,u,a).mappedValue;t<f?A(o,e,n,t+1):e.push(o)}}))}function O(r){return"object"==typeof r&&null!==r?r:"function"==typeof r?{by:r}:{}}function k(r,e){var n=r.type,t=r.create;return n?new n:t?t.call(e,e):{}}function P(r,a){void 0===a&&(a=16);var u=[];if(n(r))for(var o=e(r)?Array:Object,f=[r],c=function(r){var a=Array,c=[];if(f.forEach((function(r){t(r).forEach((function(t){var u=r[t];n(u)&&(e(u)||(a=Object),c.push(u))}))})),u.push(o),!c.length)return"break";o=a,f=c},i=0;i<=a;i++){if("break"===c())break}return u}r.array2map=function(r,n,t){if(e(r)){for(var a={},u=0;u<r.length;u++){var o=r[u],f=y(o,n),c=y(o,t);a[f]=c}return a}},r.assign=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=l(e),a=t.hierarchies,u=t.prop,o=t.value,f=c(r,a);return f[u]=o,f},r.assignIfUndef=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=l(e),a=t.hierarchies,u=t.prop,o=t.value,f=c(r,a);return f[u]===undefined&&(f[u]=o),f},r.assignProp=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=p(e),a=i(r,t).current;return a},r.assignPropIfUndef=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=p(e),a=c(r,t.slice(0,-1));return c(a,t.slice(-1)),a},r.exist=d,r.get=y,r.group=function(r){for(var n=[],u=1;u<arguments.length;u++)n[u-1]=arguments[u];if(!n.length)return r;var o=Array.prototype.concat.apply([],n).map(O).filter((function(r){return r.by}));if(!o.length)return r;var f,c=o.length-1,i=t(r);return i.forEach((function(n){var t,u,i=r[n];o.forEach((function(o,l){var p=o.by;0===l?(f||(f=k(o,r)),t=f):(t[u]||(t[u]=k(o,r)),t=t[u]);var v=p.call(r,r,n,i);if(l!==c)u=v;else{t[v]||(t[v]=a(r));var h=t[v];e(h)?h.push(i):h[n]=i}}))})),f},r.map2array=function(r,e,n){if(r){var a=[];return t(r).forEach((function(t){var u,o=r[t],f="function"==typeof e?e.call(r,r,t,o):e,c="function"==typeof n?n.call(r,r,t,o):n;a.push(((u={})[f]=t,u[c]=o,u))})),a}},r.pick=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=[],a=r;return a!==undefined&&null!==a&&A(a,t,e,0),t},r.put=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=l(e),a=t.hierarchies,u=t.prop,o=t.value,f=c(r,a);return f[u]=o,o},r.putIfUndef=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=l(e),a=t.hierarchies,u=t.prop,o=t.value,f=c(r,a);return f[u]===undefined&&(f[u]=o),f[u]},r.putProp=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=p(e),a=i(r,t).last;return a},r.putPropIfUndef=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=p(e);return c(r,t)},r.redim=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];if(!r)return r;var a=Array.prototype.concat.apply([],e);if(!a.length)return r;var u=Math.min.apply(Math,a);if(!(u<0)){var o=Math.max.apply(Math,a),f=a.length-1,c=P(r,o);if(c.length&&!(o>=c.length)){var i=new c[a[0]],l=function e(r,n,u){if(u<=o)t(n).forEach((function(t){var a=u+1;d(n,t)&&e(r.concat(t),n[t],a)}));else{var l=a.map((function(e,t){return t<f?{name:r[e],type:c[a[t+1]]}:{name:r[e],value:n}}));v(i,l)}};return l([],r,0),i}}},r.select=function(r){for(var e,n=[],t=1;t<arguments.length;t++)n[t-1]=arguments[t];var u=r;return u!==undefined&&null!==u&&j(u,e=a(u),n,0),e},r.set=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=l(e),a=t.hierarchies,u=t.prop,o=t.value,f=r||{},i=c(f,a);return i[u]=o,f},r.setIfUndef=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=l(e),a=t.hierarchies,u=t.prop,o=t.value,f=r||{},i=c(f,a);return i[u]===undefined&&(i[u]=o),f},r.setProp=v,r.setPropIfUndef=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=p(e),a=r||{};return c(a,t),a},r.traverse=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=g(e),a=t.hierarchies,u=t.callback,o=r;o!==undefined&&null!==o&&a.every((function(r){var e=h(r),n=s(o,e),t=n.name,a=n.value,f=o;return o=a,!1!==u.call(f,f,t,o)}))},r.traverseReverse=function(r){for(var e=[],n=1;n<arguments.length;n++)e[n-1]=arguments[n];var t=g(e),a=t.hierarchies,u=t.callback,o=r;if(o!==undefined&&null!==o){var f=[];a.every((function(r){var e=h(r),n=s(o,e),t=n.name,a=n.value,u=o;return o=a,f.push({parent:u,name:t,current:o}),o}));for(var c=f.length-1;c>=0;c--){var i=f[c],l=u.call(i.parent,i.parent,i.name,i.current);if(!1===l)break}}},Object.defineProperty(r,"__esModule",{value:!0})}));
src/setup.ts+9 −1 modified@@ -2,6 +2,8 @@ import type {SetupPropParam} from './type'; import {normalizeDescriptor} from './utility/setup'; import {getNonEmptyPropName} from './utility/common'; +const propProto = '__proto__'; + function generate( target: any, hierarchies: SetupPropParam[], @@ -13,7 +15,13 @@ function generate( const {value, type, create, override, created, skipped, got} = descriptor; const name = getNonEmptyPropName(current, descriptor); - if (forceOverride || override || !current[name] || typeof current[name] !== 'object') { + if ( + forceOverride || + override || + !current[name] || + typeof current[name] !== 'object' || + (name === propProto && current[name] === Object.prototype) + ) { const obj = value ? value : type ? new type() : create ? create.call(current, current, name) :
test/set/7-no-proto-polution.js+9 −0 added@@ -0,0 +1,9 @@ +const assert = require('assert').strict; +const {set} = require('../../'); + +const obj1 = {}; +const obj2 = {}; +set(obj1, '__proto__', 'admin', true); +assert.notEqual(obj1.__proto__, Object.prototype); +assert.equal(obj1.__proto__.admin, true); +assert.strictEqual(obj2.admin, undefined);
test/set/index.js+1 −0 modified@@ -4,3 +4,4 @@ require('./3-symbol-property'); require('./4-array-params'); require('./5-array-value'); require('./6-option-params'); +require('./7-no-proto-polution');
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-fxwf-45c7-4pprghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28270ghsaADVISORY
- github.com/mjpclab/object-hierarchy-access/commit/7b1aa134a8bc4a376296bcfac5c3463aef2b7572ghsax_refsource_MISCWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28270ghsax_refsource_MISCWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28270,ghsaWEB
News mentions
0No linked articles in our index yet.