CVE-2020-28276

The deep-set npm package versions 1.0.0 through 1.0.1 contain a prototype pollution vulnerability in the deepSet() function [1]. The function fails to validate the type of object before assigning a value to a property, allowing an attacker to modify the prototype of built-in objects [2]. Specifically, the code at line 39 of index.js does not check whether the target property is an object's own property [3].

An attacker can exploit this by providing a specially crafted path containing __proto__ as part of the object key. For example, calling deepSet(obj, '__proto__.isAdmin', 'true') pollutes Object.prototype by setting isAdmin to 'true' [2]. This attack does not require authentication and can be triggered via user-supplied input if the application passes unsanitized user data to deepSet().

The impact includes denial of service (by polluting properties that affect application logic) and, more critically, potential remote code execution depending on how the polluted properties are used later in the application [1][2]. For instance, if the application later checks obj.isAdmin without validation, the polluted value may grant unauthorized privileges [2].

As of the latest information, the repository has been archived and there is no official fix [4]. Mitigation recommendations include using Object.freeze() to prevent prototype modifications, validating JSON input with schema validation, or creating objects with Object.create(null) to avoid prototype association [2]. Users should consider updating to alternative packages that are not vulnerable [1].