VYPR
← All advisories
Critical severityNVD Advisory· Published Dec 29, 2020· Updated Aug 4, 2024

CVE-2020-28279

CVE-2020-28279

Description

Prototype pollution in flattenizer 0.0.5–1.0.5 enables DoS or potential RCE by setting arbitrary properties on Object.prototype.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype pollution in flattenizer 0.0.5–1.0.5 enables DoS or potential RCE by setting arbitrary properties on Object.prototype.

The flattenizer NPM package versions 0.0.5 through 1.0.5 are vulnerable to prototype pollution. The unflatten() function assigns object properties without checking whether the target key refers to the object's own property or a prototype chain property, such as __proto__. This allows an attacker to inject properties directly onto Object.prototype, polluting the global object [1][4].

Exploitation is straightforward: an attacker supplies a crafted input object containing a key like __proto__.polluted with a truthy value. The unflatten() function processes this key by recursively setting nested properties, ultimately assigning the value to Object.prototype.polluted. No authentication or special network position is required; the attacker only needs to pass the malicious payload to the library's unflatten() function [1][4].

The impact includes denial of service (DoS) if the injected property causes unexpected behavior in subsequent code that checks for the existence or value of that property. More critically, prototype pollution in Node.js can sometimes lead to remote code execution (RCE) if an application later uses the polluted property in a dangerous sink (e.g., eval, exec). The WhiteSource advisory and official PoC both highlight that the polluted property becomes globally accessible as polluted [1].

The vulnerability was fixed in version 1.0.6 via commit 3c6a635, which added a check to prevent unflattening any properties on __proto__ [3]. Users should upgrade to the latest patched version; if an upgrade is not immediately possible, input validation or using a defended utility can serve as a temporary workaround [2].

References
  1. WhiteSource Vulnerability Database
  2. NVD - CVE-2020-28279
  3. fix: fix prototype pollution vulnerability (#13) · sahellebusch/flattenizer@3c6a635
  4. fix: fix prototype pollution vulnerability by sahellebusch · Pull Request #13 · sahellebusch/flattenizer

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
flattenizernpm
>= 0.0.5, < 1.1.11.1.1

Affected products

2

Patches

1
3c6a6353df7c

fix: fix prototype pollution vulnerability (#13)

https://github.com/sahellebusch/flattenizerSean HellebuschDec 28, 2020via ghsa
commitPR #13
3 files changed · +35 4
  • api/flattenizer.api.json+3 3 modified
    @@ -113,7 +113,7 @@
           "excerptTokens": [

             {

               "kind": "Content",

-              "text": "export declare interface IFlattened<P> "

+              "text": "export interface IFlattened<P> "

             }

           ],

           "releaseTag": "Public",

@@ -184,7 +184,7 @@
           "excerptTokens": [

             {

               "kind": "Content",

-              "text": "export declare interface IUnflattened<P> "

+              "text": "export interface IUnflattened<P> "

             }

           ],

           "releaseTag": "Public",

@@ -298,7 +298,7 @@
         {

           "kind": "Variable",

           "canonicalReference": "flattenizer!unflatten:var",

-          "docComment": "/**\n * Unflattens an object with compressed keys.\n *\n * @param flattened - object to unflatten\n *\n * @param delimiter - the delimiter to be used when unflattening the object. Defaults to '.'.\n *\n * @returns The unflattened object, empty if provided object is undefined.\n *\n * @example\n * ```\n * let flattened = { name: 'Sean',\n *   city: 'Kansas City',\n *  'favBreweries.0.name': 'Double Shift',\n *  'favBreweries.0.favBeer': 'Sister Abbey',\n *  'favBreweries.1.name': 'KC Bier Co',\n *   'favBreweries.1.favBeer': 'Helles' }\n *\n * unflatten(flattened)\n *\n *  { name: 'Sean',\n *    city: 'Kansas City',\n *    favBreweries:\n *     [ { name: 'Double Shift', favBeer: 'Sister Abbey' },\n *       { name: 'KC Bier Co', favBeer: 'Helles' } ] }\n * ```\n *\n * @public\n */\n",

+          "docComment": "/**\n * Unflattens an object with compressed keys.\n *\n * @remarks\n *\n * This function will not unflatten any properties on the __proto__ object property in order to prevent pollution.\n *\n * @param flattened - object to unflatten\n *\n * @param delimiter - the delimiter to be used when unflattening the object. Defaults to '.'.\n *\n * @returns The unflattened object, empty if provided object is undefined.\n *\n * @example\n * ```\n * let flattened = { name: 'Sean',\n *   city: 'Kansas City',\n *  'favBreweries.0.name': 'Double Shift',\n *  'favBreweries.0.favBeer': 'Sister Abbey',\n *  'favBreweries.1.name': 'KC Bier Co',\n *   'favBreweries.1.favBeer': 'Helles' }\n *\n * unflatten(flattened)\n *\n *  { name: 'Sean',\n *    city: 'Kansas City',\n *    favBreweries:\n *     [ { name: 'Double Shift', favBeer: 'Sister Abbey' },\n *       { name: 'KC Bier Co', favBeer: 'Helles' } ] }\n * ```\n *\n * @public\n */\n",

           "excerptTokens": [

             {

               "kind": "Content",
  • src/flattenizer.spec.ts+23 0 modified
    @@ -322,4 +322,27 @@ describe('Flattenizer!', () => {
       expect(unflatten(flattened)).toEqual(expected);
     });
   });
+
+  test('will not pollute the object __proto__ property', () => {
+    const flattened = {
+      '__proto__.polluted': true,
+      'prop1.subProp1': 'value',
+      'prop2.subProp2.subSubProp1': 12,
+    };
+
+    const expected = {
+      prop1: {
+        subProp1: 'value',
+      },
+      prop2: {
+        subProp2: {
+          subSubProp1: 12,
+        },
+      },
+    };
+
+    const result = unflatten(flattened);
+    expect(result?.__proto__?.polluted).not.toBeDefined();
+    expect(result).toEqual(expected);
+  });
 });
  • src/flattenizer.ts+9 1 modified
    @@ -102,7 +102,11 @@ const explodeProperty = (
 
   for (let idx = 0; idx < lastKeyIndex; idx++) {
     const currKey = keys[idx];
-    let nextKeyVal;
+    let nextKeyVal: any;
+
+    if (idx === 0 && currKey === '__proto__') {
+      return;
+    }
 
     if (!currUnflattened.hasOwnProperty(currKey)) {
       nextKeyVal = parseInt(keys[idx + 1], 10);
@@ -118,6 +122,10 @@ const explodeProperty = (
 /**
  * Unflattens an object with compressed keys.
  *
+ * @remarks
+ * This function will not unflatten any properties on the __proto__ object
+ * property in order to prevent pollution.
+ *
  * @example
  * ```
  * let flattened = { name: 'Sean',

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.