Prototype Pollution
Description
Prototype pollution in conf-cfg-ini before 1.2.2 allows attackers to pollute Object prototypes via malicious INI files, potentially enabling remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in conf-cfg-ini before 1.2.2 allows attackers to pollute Object prototypes via malicious INI files, potentially enabling remote code execution.
Vulnerability
Overview
The JavaScript package conf-cfg-ini prior to version 1.2.2 is vulnerable to prototype pollution. The decode function, which parses INI file data, does not properly validate or reject properties that can modify the global Object.prototype. By crafting a malicious INI file with special keys such as __proto__, an attacker can inject arbitrary properties into the prototype chain of all JavaScript objects in the application [1][2].
Exploitation
Mechanism
An attacker must submit a specially crafted INI file to an application that parses it using conf-cfg-ini's decode method. The vulnerability exists because the parser creates new sections and keys from user‑supplied input without filtering known dangerous property names (e.g., __proto__, constructor, prototype). For example, a payload like [__proto__]\nfoo:bar would set foo on Object.prototype, impacting all objects in the runtime [2][4]. The fix introduced in commit 3a88a6c explicitly blocks keys such as __proto__ and similar accessors to prevent this attack [4].
Potential
Impact
Successful prototype pollution can have severe consequences. By polluting the base Object prototype, an attacker may alter the behavior of the application, cause denial of service via exceptions, or manipulate code logic to bypass security controls. In many contexts, this can lead to remote code execution (RCE) when the attacker's injected properties affect operations like property lookups or conditional checks [2].
Mitigation
The vulnerability is addressed in version 1.2.2 of conf-cfg-ini. Users should upgrade to this or a later release. The commit ecd878f and a subsequent fix (3a88a6c) introduce checks to reject unsafe prototype keys during parsing [3][4]. No workarounds are documented for earlier versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
conf-cfg-ininpm | < 1.2.2 | 1.2.2 |
Affected products
2- conf-cfg-ini/conf-cfg-inidescription
Patches
23a88a6c52c31fix: prevent prototype pollution attack
2 files changed · +15 −1
conf-cfg-ini.js+5 −1 modified@@ -35,6 +35,7 @@ Config.prototype.decode = function(data){ throw new Error('expecting string but got '+typeof data); } } + var protectedKeys = ['__defineGetter__', '__defineSetter__', '__lookupGetter__', '__lookupSetter__', '__proto__']; var result = {}; var currentSection = undefined; var lines = data.split(this.options.lineEnding); @@ -51,7 +52,7 @@ Config.prototype.decode = function(data){ var newSection = line.match(sectionRegExp); if(newSection !== null){ currentSection = newSection[1]; - if(typeof result[currentSection] === 'undefined'){ + if(typeof result[currentSection] === 'undefined' && !protectedKeys.includes(currentSection)){ result[currentSection] = {}; } continue; @@ -78,6 +79,9 @@ Config.prototype.decode = function(data){ if (typeof this.options.valueIdentifier === 'string') { value = this.valueTrim(value, this.options.valueIdentifier); } + if (protectedKeys.includes(currentSection) || protectedKeys.includes(key)) { + continue; + } if(typeof currentSection === 'undefined'){ result[key] = value; } else {
conf-cfg-ini.spec.js+10 −0 modified@@ -112,6 +112,16 @@ describe('Config', function() { expect(result.Section.foo).to.equal("bar"); }); + it('decode should prevent prototype pollution attacks', function () { + var config = new Config(); + config.options.lineEnding = "\n"; + config.options.assignIdentifier = ":"; + var result = config.decode("[__proto__]\nfoo:bar\n"); + should.not.exist(result.__proto__.foo); + result = config.decode("[Section]\n__proto__:bar\n"); + expect(result.Section.__proto__).to.not.equal("bar"); + }); + it('valueTrim should trim custom chars', function () { var config = new Config(); expect(config.valueTrim('"Te"s"t"', '"')).to.equal('Te"s"t');
2 files changed · +2 −2
package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "conf-cfg-ini", - "version": "1.2.1", + "version": "1.2.2", "description": "encode and decode ini,conf,cfg files", "author": "Rolf Loges", "license": "MIT",
package-lock.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "conf-cfg-ini", - "version": "1.2.1", + "version": "1.2.2", "lockfileVersion": 1, "requires": true, "dependencies": {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-m6mg-jvjf-w44xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28441ghsaADVISORY
- github.com/loge5/conf-cfg-ini/commit/3a88a6c52c31eb6c0f033369eed40aa168a636eaghsax_refsource_MISCWEB
- github.com/loge5/conf-cfg-ini/commit/ecd878f8f7398e765739e989c7fe7cc052308947ghsaWEB
- security.snyk.io/vuln/SNYK-JS-CONFCFGINI-1048973ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.