CVE-2020-28277
Description
Prototype pollution in dset (versions 1.0.0 to 2.0.1) via the export() function can lead to denial of service and potential remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in dset (versions 1.0.0 to 2.0.1) via the export() function can lead to denial of service and potential remote code execution.
Vulnerability
Analysis
CVE-2020-28277 is a prototype pollution vulnerability found in the NPM library 'dset' (versions 1.0.0 through 2.0.1). The root cause lies in the export() function, which does not validate the type of the object before assigning a value to a property. This lack of validation allows an attacker to inject malicious property keys, specifically by manipulating the keys argument to include a value such as __proto__ [1].
Exploitation
Vector
An attacker can exploit this flaw by supplying crafted input to the keys parameter of the export() function. Because the code does not check whether the target property is the prototype, it can assign arbitrary properties to Object.prototype. The attack does not require authentication if the library is used in client-side code or within a server-side application that processes user-supplied paths [1][2]. The vulnerability is exacerbated as the fix in commit [4] shows a change that also prevents array creation with float-type keys, indicating that the input validation was initially very lax.
Impact
The impact includes denial of service, as polluting the prototype can break application logic. More critically, the description notes that it may lead to remote code execution, as prototype pollution can sometimes be combined with other gadgets present in the application to achieve code execution [1].
Mitigation
The vulnerability has been fixed in dset version 2.0.2. Users should update to this patched version immediately. The fix was implemented in commit 2b9ec49 [4]. As of the publication date (2020-12-29), no workarounds were documented, and the patch is the recommended course of action.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dsetnpm | >= 1.0.0, < 2.0.1 | 2.0.1 |
Affected products
2- dset/dsetdescription
Patches
12b9ec49e2311fix: prevent array creation w/ float-type keys
1 file changed · +1 −1
src/index.js+1 −1 modified@@ -3,6 +3,6 @@ export default function (obj, keys, val) { var i=0, l=keys.length, t=obj, x; for (; i < l; ++i) { x = t[keys[i]]; - t = t[keys[i]] = (i === l - 1 ? val : (x == null ? (+keys[i + 1] > -1 ? [] : {}) : x)); + t = t[keys[i]] = (i === l - 1 ? val : (x != null ? x : (!!~keys[i+1].indexOf('.') || !(+keys[i+1] > -1)) ? {} : [])); } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-q4xc-7cw8-cgfjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28277ghsaADVISORY
- github.com/lukeed/dset/blob/50a6ead172d1466a96035eff00f8eb465ccd050a/src/index.jsghsax_refsource_MISCWEB
- github.com/lukeed/dset/commit/2b9ec49e231107b1a83b04a1bc1a66a8d14cea1cghsaWEB
- github.com/lukeed/dset/issues/11ghsaWEB
- web.archive.org/web/20210104204657/https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28277ghsaWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28277mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.