VYPR
← All advisories
Critical severityNVD Advisory· Published Dec 15, 2020· Updated Sep 16, 2024

Prototype Pollution

CVE-2020-28442

Description

js-data is vulnerable to Prototype Pollution via the deepFillIn function, allowing attackers to inject properties into Object.prototype.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

js-data is vulnerable to Prototype Pollution via the deepFillIn function, allowing attackers to inject properties into Object.prototype.

Vulnerability

Overview

CVE-2020-28442 affects all versions of the js-data JavaScript library. The vulnerability is a Prototype Pollution issue in the deepFillIn function, which recursively merges objects without proper sanitization of special properties like __proto__, constructor, or prototype [1][2]. This allows an attacker to pollute the base Object prototype by injecting properties through a crafted object.

Exploitation

An attacker can exploit this by providing a malicious JSON payload containing a __proto__ property to any application that uses js-data's deepFillIn function to merge user-controlled data. No authentication is required if the application exposes an endpoint that processes such input. The attack leverages unsafe recursive merge logic, as described in the Snyk advisory [2].

Impact

Successful exploitation leads to Prototype Pollution, which can cause denial of service via JavaScript exceptions or, more critically, tamper with application logic to force code paths that may lead to remote code execution [2]. Since polluted properties are inherited by all objects, the impact can be widespread across the application.

Mitigation

The issue was fixed in a pull request and commit that added checks for magic attributes like __proto__ during deep merge operations [3][4]. Users should update to a patched version of js-data. No workaround is provided; upgrading is the recommended action.

References
  1. NVD - CVE-2020-28442
  2. Snyk Vulnerability Database | Snyk
  3. Security Fix for Prototype Pollution - huntr.dev by huntr-helper · Pull Request #574 · js-data/js-data
  4. Security Fix for Prototype Pollution - huntr.dev (#574) · js-data/js-data@2d9eed5

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
js-datanpm
< 3.0.103.0.10

Affected products

2

Patches

1
2d9eed5d3e97

Security Fix for Prototype Pollution - huntr.dev (#574)

https://github.com/js-data/js-datahuntr.dev | the place to protect open sourceMar 19, 2021via ghsa
commit
2 files changed · +14 0
  • src/utils.js+5 0 modified
    @@ -70,6 +70,10 @@ const mkdirP = function (object, path) {
   return object
 }
 
+const isPrototypePolluted = function (key) {
+  return ['__proto__', 'prototype', 'constructor'].includes(key)
+}
+
 const utils = {
   /**
    * Reference to the Promise constructor used by JSData. Defaults to
@@ -446,6 +450,7 @@ const utils = {
   deepMixIn (dest, source) {
     if (source) {
       for (var key in source) {
+        if (isPrototypePolluted(key)) continue
         const value = source[key]
         const existing = dest[key]
         if (isPlainObject(value) && isPlainObject(existing)) {
  • test/unit/utils/extendUtils.test.js+9 0 modified
    @@ -54,6 +54,15 @@ describe('utils.deepMixIn', function () {
     assert.deepEqual(expected, actual, 'sorce own properties recursivly copied and overriden into dest')
     assert.equal(dest, utils.deepMixIn(dest), 'empty source argument returns dest')
   })
+
+  it('Recursively shallow copies properties from `source` to `dest`', function () {
+    const dest = {}
+    const src = JSON.parse('{"__proto__":{"polluted":"Yes! Its Polluted"}}')
+    utils.deepMixIn(dest, src)
+
+    assert.equal(dest.polluted, undefined, 'dest must not overwrite prototype constructor')
+    assert.equal({}.polluted, undefined, 'must prevent prototypical inherited values')
+  })
 })
 
 describe('utils.extend', function () {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.