CVE-2020-28282

Vulnerability

Details

CVE-2020-28282 is a prototype pollution vulnerability in the getobject npm package version 0.1.0. This package provides utilities to get and set nested object properties using dot-separated paths. The flaw exists because the set method does not properly restrict the modification of an object's prototype. An attacker can supply a specially crafted path (e.g., __proto__.isAdmin) that, when the application processes untrusted input using getobject.set, pollutes the base Object.prototype.

Exploitation

Exploitation requires that the target application passes attacker-controlled strings as the property path argument to getobject.set (or similar unsafe usage). No authentication is inherently needed; the attack surface depends on the application's integration of the library [1][3]. The vulnerability is triggered by crafting a path that targets the prototype chain, for example __proto__ or constructor.prototype. This can be done by simply including such keys in JSON input or URL parameters if the application later sets those values via getobject.

Impact

Successful exploitation can first cause a denial of service by polluting shared properties, breaking normal object behavior. More critically, under specific application contexts, prototype pollution can be escalated to remote code execution (RCE) [2]. For instance, if the polluted property influences how the application invokes functions or accesses modules, an attacker may achieve arbitrary code execution. While RCE is conditional, the denial-of-service vector is straightforward and reliable.

Mitigation

Users of getobject version 0.1.0 should upgrade to a patched version. The GitHub repository for getobject has since addressed the issue [1]. There is no public evidence that this CVE is listed in CISA's Known Exploited Vulnerabilities catalog. The maintainer recommends updating to the latest release to avoid the pollution vector [4].