VYPR
← All advisories
Moderate severityOSV Advisory· Published Dec 22, 2020· Updated Sep 17, 2024

Prototype Pollution

CVE-2020-28460

Description

Prototype pollution in multi-ini <2.1.2 allows attackers to pollute Object.prototype via constructor.proto, bypassing a previous fix.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype pollution in multi-ini <2.1.2 allows attackers to pollute Object.prototype via constructor.proto, bypassing a previous fix.

Vulnerability

Overview

The multi-ini npm package before version 2.1.2 is vulnerable to prototype pollution. This vulnerability allows an attacker to pollute the Object.prototype by crafting a malicious INI file with keys such as constructor.proto or prototype.polluted. This is a bypass of the previous fix for CVE-2020-28448, which only blocked __proto__ [1][2].

Attack

Vector

An attacker can exploit this vulnerability by providing a crafted INI file to the parser. No authentication is required if the parser processes untrusted input. The attacker can specify keys like [constructor] with subkeys to set properties on the global object prototype [2].

Impact

Successful exploitation leads to prototype pollution, enabling an attacker to inject arbitrary properties into JavaScript objects. This can result in unexpected behavior, denial of service, or potentially arbitrary code execution depending on how the application uses the affected objects.

Mitigation

The issue is fixed in version 2.1.2 of multi-ini. The fix extends the regular expression that ignores dangerous keys to also block constructor and prototype in addition to __proto__ [2]. Users should update to the latest version. No workaround is available.

References
  1. NVD - CVE-2020-28460
  2. Fixed 2nd issue with prototype pollution · evangelion1204/multi-ini@6b2212b

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
multi-ininpm
< 2.1.22.1.2

Affected products

2

Patches

1
6b2212b2ce15

Fixed 2nd issue with prototype pollution

https://github.com/evangelion1204/multi-iniMichael IwersenDec 19, 2020via ghsa
commit
4 files changed · +13 3
  • package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "multi-ini",
-  "version": "2.1.1",
+  "version": "2.1.2",
   "license": "MIT",
   "description": "An ini-file parser which supports multi line, multiple levels and arrays to get a maximum of compatibility with Zend config files.",
   "main": "lib/index.js",
  • README.md+6 0 modified
    @@ -137,6 +137,12 @@ content = serializer.serialize({
 
 ## Changelog
 
+### 2.1.2
+* Fixed prototype pollution by ignoring `constructor`
+
+### 2.1.1
+* Fixed prototype pollution by ignoring `__proto__`
+
 ### 1.0.1
 * Fixed bug with `keep_quotes` ignored when writing files
  • src/parser.js+1 1 modified
    @@ -20,7 +20,7 @@ const defaults = {
     constants: {},
 };
 
-const REGEXP_IGNORE_KEYS = /__proto__/;
+const REGEXP_IGNORE_KEYS = /__proto__|constructor|prototype/;
 
 class Parser {
     constructor(options = {}) {
  • test/data/prototype_pollution.ini+5 1 modified
    @@ -3,4 +3,8 @@ value=key
 [__proto__]
 polluted="polluted"
 [other]
-__proto__.path_polluted="polluted"
\ No newline at end of file
+__proto__.path_polluted="polluted"
+[constructor]
+prototype.polluted = polluted
+[prototype]
+polluted = polluted
\ No newline at end of file

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.