Prototype Pollution
Description
CVE-2020-28458: Prototype Pollution in datatables.net due to incomplete fix for earlier vulnerability, allowing attackers to pollute Object prototype.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2020-28458: Prototype Pollution in datatables.net due to incomplete fix for earlier vulnerability, allowing attackers to pollute Object prototype.
Vulnerability
CVE-2020-28458 is a Prototype Pollution vulnerability in the npm package datatables.net, affecting all versions. It arises from an incomplete fix for a previous vulnerability (SNYK-JS-DATATABLESNET-598806) [1]. The package improperly sanitizes user-controlled input, allowing the injection of properties like constructor into the object prototype.
Exploitation
An attacker can exploit this by providing crafted data that includes a constructor property with a prototype property. When DataTables processes this data during table initialization or data update, it merges the attacker's input into the package's internal objects, polluting the global Object prototype [2]. No authentication is required if the application uses user-supplied data (e.g., from JSON or URL parameters).
Impact
Prototype Pollution allows an attacker to add or modify properties of all objects in the application. This can lead to privilege escalation, denial of service, or arbitrary code execution depending on how the affected properties are used by the application [4]. The vulnerability has a CVSS score of 7.5 (High) [1].
Mitigation
Users should upgrade to datatables.net version 1.10.25 or higher, which contains the complete fix [4]. No known workarounds exist, and the package maintainers have addressed the issue in the commit [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
datatables.netnpm | < 1.10.22 | 1.10.22 |
Affected products
2- datatables.net/datatables.netdescription
Patches
1a51cbe99fd3dFix: Possible prototype pollution if `constructor` were used in a data property name
1 file changed · +1 −1
js/core/core.data.js+1 −1 modified@@ -357,7 +357,7 @@ function _fnSetObjectDataFn( mSource ) for ( var i=0, iLen=a.length-1 ; i<iLen ; i++ ) { // Protect against prototype pollution - if (a[i] === '__proto__') { + if (a[i] === '__proto__' || a[i] === 'constructor') { throw new Error('Cannot set prototype values'); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-m7j4-fhg6-xf5vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28458ghsaADVISORY
- github.com/DataTables/DataTablesSrc/commit/a51cbe99fd3d02aa5582f97d4af1615d11a1ea03ghsaWEB
- github.com/DataTables/Dist-DataTables/blob/master/js/jquery.dataTables.js%23L2766ghsaWEB
- security.netapp.com/advisory/ntap-20240621-0006ghsaWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1051961ghsaWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1051962ghsaWEB
- snyk.io/vuln/SNYK-JS-DATATABLESNET-1016402ghsaWEB
- snyk.io/vuln/SNYK-JS-DATATABLESNET-598806ghsaWEB
- security.netapp.com/advisory/ntap-20240621-0006/mitre
News mentions
0No linked articles in our index yet.