CVE-2020-28283

Vulnerability

The npm package libnested is a utility for basic operations (get, set, map, etc.) on nested JavaScript objects. Versions 0.0.0 through 1.5.0 contain a prototype pollution vulnerability. The flaw resides in the set function, which assigns values to paths within an object without validating that the path components do not inherit from Object.prototype. By constructing a path such as ['__proto__', 'polluted'], an attacker can pollute the prototype chain of the base object.

Exploitation

An attacker can trigger the vulnerability by providing a specially crafted path argument to the libnested set() function. No authentication is required if the attacker can control the path or object being set. For example, calling set({}, ['__proto__', 'x'], 'value') would set Object.prototype.x = 'value', affecting all objects in the runtime. The official repository's code at the set function location [2] shows that intermediate objects are created without checking for prototype keys.

Impact

Successful exploitation enables a denial of service condition by breaking normal object property resolution. Moreover, depending on how the library is used, prototype pollution can lead to remote code execution if the polluted property is later evaluated or accessed in a dangerous operation (e.g., in a template engine or abstract syntax tree traversal). The NVD assessment confirms both DoS and possible RCE [1].

Mitigation

Users should update libnested to version 1.5.1 or later, where the vulnerability has been addressed. No official workaround is documented, but application-level input validation for object paths could reduce risk. The package is open source, and the fix is available in the repository [3].