Prototype Pollution

CVE-2020-28450 affects all versions of the decal npm package [1]. The vulnerability resides in the extend function, which performs unsafe recursive object merging without sanitizing special properties like __proto__, constructor, or prototype [2]. This is a classic Prototype Pollution pattern where a recursive merge can cause properties of the attacker-controlled source to be copied onto the target's prototype chain when the source object contains a __proto__ property defined with Object.defineProperty() [2].

An attacker can exploit this by crafting a JSON payload or an object literal that includes a __proto__ property with nested properties. When the vulnerable extend function processes such an object, it recursively merges the __proto__ key, effectively polluting Object.prototype with the attacker's values. The source code of the extend function in the decal.js repository shows the unsafe recursive merge logic that lacks checks for prototype properties [3].

A successful exploit allows the attacker to inject arbitrary properties into the base object prototype of the JavaScript runtime [2]. This can lead to a variety of impacts, including denial of service (by causing JavaScript exceptions), property tampering that alters application logic, and potentially remote code execution if the injected properties are used in security-sensitive contexts like property lookups for function dispatchers or configuration overrides [2]. The vulnerability is broad because every object in the application inherits the polluted prototype properties.

As of the advisory publication date (2021-02-04), no patch had been released for the decal package, and all versions were affected [1]. Organizations using decal should treat this as unpatched and consider replacing the library or implementing a sandbox or defensive deep-clone function that filters out __proto__, constructor, and prototype keys before merging [2].