CVE-2020-28280
Description
Prototype pollution vulnerability in 'predefine' versions 0.0.0 through 0.1.2 allows an attacker to cause a denial of service and may lead to remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in predefine npm package (0.0.0-0.1.2) via merge function allows denial of service and potential remote code execution.
The predefine npm package, used to simplify Object.defineProperties, contains a prototype pollution vulnerability in its merge function. The flaw exists in the objectForEach loop within the merge function, where the condition if (target[key] === undefined) incorrectly allows assignment to __proto__ properties, thereby polluting Object.prototype [1][3]. This affects versions 0.0.0 through 0.1.2.
An attacker can exploit this by crafting a malicious object with a __proto__ property and passing it to the merge function. No authentication or special privileges are required, as the vulnerability can be triggered by processing user-supplied input. The attack surface includes any application that uses predefine.merge() on untrusted data [2].
Successful exploitation enables an attacker to inject arbitrary properties into the global object prototype, which can lead to denial of service (e.g., infinite loops or property shadowing) and potentially remote code execution if combined with other gadgets. The impact is limited only by the attacker's ability to control the input and the environment's usage of affected properties [1].
The issue has been addressed in commit 1a86a01 by adding an explicit check using has.call(target, key) to prevent prototype pollution [4]. Users are advised to upgrade to a patched version or apply the fix manually.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
predefinenpm | < 0.1.3 | 0.1.3 |
Affected products
3- predefine/predefinedescription
Patches
11a86a013c0b3Merge pull request #12 from ohad2712/fix/address-prototype-pollution-vulnerablity-in-merge-function
2 files changed · +9 −1
index.js+1 −1 modified@@ -282,7 +282,7 @@ function merge(target, additional) { each(additional, function objectForEach(key, value) { if (target[key] === undefined) { result[key] = value; - } else { + } else if (has.call(target, key)) { result[key] = merge(target[key], additional[key]); } });
test.js+8 −0 modified@@ -181,4 +181,12 @@ describe('predefine', function () { assume(calls).to.equal(1); }); }); + + describe('.merge', function () { + it('avoids prototype polluting', function () { + predefine.merge({}, JSON.parse('{"__proto__": {"a": "b"}}')); + + assume(({}).a).to.be.undefined(); + }); + }); });
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-mx3x-ghqm-r43hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28280ghsaADVISORY
- github.com/bigpipe/predefine/blob/238137e3d1b8288ff5d7529c3cbcdd371888c26b/index.jsghsax_refsource_MISCWEB
- github.com/bigpipe/predefine/commit/1a86a013c0b37c9d6ca078ba34017052af38b7fcghsaWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28280ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.