CVE-2020-28281

The set-object-value package versions 0.0.0 through 0.0.5 contain a prototype pollution vulnerability [1]. The root cause lies in the assignment logic in index.js (line 16), where properties are set on an object without restricting the __proto__ or constructor.prototype keys [2]. This flaw allows an attacker to inject arbitrary properties into the global Object.prototype [1].

Exploitation

An attacker can exploit the vulnerability by passing a crafted object with a __proto__ or constructor.prototype key to the setObjectValue function [2]. No authentication is required, as the attack is executed via supplied input. The attack vector is low complexity, requiring only that the target application processes attacker-controlled values through the vulnerable function [1].

Impact

Prototype pollution can lead to a denial of service if unexpected properties break application logic. More critically, the description states that it may lead to remote code execution (RCE), depending on how the polluted property is used downstream [1]. An attacker could alter default values or behavior of objects, potentially executing arbitrary code in the context of the application.

Mitigation

The vulnerability affects all versions of set-object-value up to and including 0.0.5 [1]. No patched release has been identified at the time of publication. Users should avoid using the package or implement input sanitization to block __proto__ and constructor.prototype keys [2]. The package is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the CVE publication date.