CVE-2020-28278
Description
The 'shvl' npm package (versions 1.0.0–2.0.1) is vulnerable to prototype pollution via the set() function, enabling denial of service or potentially remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The 'shvl' npm package (versions 1.0.0–2.0.1) is vulnerable to prototype pollution via the set() function, enabling denial of service or potentially remote code execution.
Vulnerability
Description
The shvl npm package, versions 1.0.0 through 2.0.1, contains a prototype pollution vulnerability in its set() function. The function fails to validate the type of object before assigning a value to a property, allowing an attacker to inject properties through the __proto__ chain [1][2]. A proof-of-concept demonstrates that calling shvl.set(obj, '__proto__.isAdmin', true) pollutes the Object prototype, making obj.isAdmin return true for any object [2].
Exploitation and
Attack Surface
The vulnerability is triggered by supplying a malicious path argument to set() that includes __proto__ or similar prototype-altering keys. No authentication is required if the attacker can control inputs passed to this function. The attack surface is primarily server-side or client-side JavaScript applications that use the shvl package to set nested properties from user input [2].
Impact
Successful exploitation can lead to denial of service by corrupting object behavior across the application, and may enable remote code execution if the polluted property influences security-critical logic (e.g., assigning isAdmin) [1][2]. The full impact depends on how the application uses the polluted properties.
Mitigation
Status
The fix was implemented in commit 513c084, which added test cases to block assignment to __proto__ [4]. However, a subsequent pull request (PR #36) noted that the initial regex fix was insufficient and that a more robust check is needed [3]. Users should upgrade to the patched version (2.0.2) or later if available and apply input validation or object freezing as a workaround [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
shvlnpm | >= 1.0.0, < 2.0.2 | 2.0.2 |
Affected products
2- Range: v1.0.0, v1.1.0, v1.1.1, …
Patches
1513c0848774dFix assignment to proto. Closes #34.
2 files changed · +3 −1
index.js+1 −1 modified@@ -5,7 +5,7 @@ export function get (object, path, def) { }; export function set (object, path, val, obj) { - return ((path = path.split ? path.split('.') : path.slice(0)).slice(0, -1).reduce(function (obj, p) { + return !/__proto__/.test(path) && ((path = path.split ? path.split('.') : path.slice(0)).slice(0, -1).reduce(function (obj, p) { return obj[p] = obj[p] || {}; }, obj = object)[path.pop()] = val), object; };
test.js+2 −0 modified@@ -73,6 +73,8 @@ cases('set({}, key, value)', ({ obj, key, value, expected }) => { "set(obj, 'a.b.c', 'bar')": { key: 'a.b.c', value: 'bar', expected: { a: { b: { c: 'bar' } } }, obj: { a: { b: { c: 'foo' } } } }, "set(obj, 'a.b', 'foo')": { key: 'a.b', value: 'foo', expected: { a: { b: 'foo' } }, obj: { a: { b: undefined } } }, "set(obj, 'a.b', undefined)": { key: 'a.b', value: undefined, expected: { a: { b: undefined } }, obj: { a: { b: 'foo' } } }, + "set(obj, '__proto__', 'foo')": { key: "__proto__", value: "foo", expected: {} }, + "set(obj, 'a.__proto__', 'foo')": { key: "__proto__", value: "foo", expected: { a: undefined } }, }); cases('set(undefined, key, value)', ({ obj, key, value }) => {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-pqwc-3vhw-qcvqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28278ghsaADVISORY
- github.com/robinvdvleuten/shvl/blob/bef0a3ebade444cc6b297147ecf5242308f0892e/index.jsmitrex_refsource_MISC
- github.com/robinvdvleuten/shvl/commit/513c0848774dfb114ad0d0554abf7927cfdd569eghsaWEB
- github.com/robinvdvleuten/shvl/issues/34ghsaWEB
- github.com/robinvdvleuten/shvl/pull/36ghsaWEB
- web.archive.org/web/20210320222933/https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28278ghsaWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28278mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.