Prototype Pollution
Description
This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution vulnerability in total.js <=3.4.6 allows attackers to achieve DoS or RCE via the set function by polluting Object.prototype.
The vulnerability resides in the set function of the total.js framework prior to version 3.4.7. This function is used to assign a value to an object property based on a given path. However, the keys in the path are not properly sanitized, allowing an attacker to manipulate special properties such as __proto__, constructor, or prototype. This leads to prototype pollution, where the attacker can inject properties into the base Object prototype [1].
Exploitation requires the ability to invoke the set function with a crafted path string. No special authentication is needed if the function is exposed to user input. The attacker can pollute Object.prototype globally, affecting all JavaScript objects in the application. For example, by setting __proto__.isAdmin to true, the attacker might bypass authorization checks. The Snyk advisory explains that property definition by path is a common vector for prototype pollution [2].
The impact varies by application, but in many cases prototype pollution can lead to Denial of Service (DoS) by triggering exceptions, Remote Code Execution (RCE) by altering code execution paths, or Property Injection. The NVD description notes that the impact depends on the application [1].
The issue was fixed in total.js version 3.4.7. The commit [3] shows that a check was added to reject paths containing __proto__, constructor, or prototype, throwing an error to prevent pollution. Users should upgrade to the latest version to mitigate the risk.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
total.jsnpm | < 3.4.7 | 3.4.7 |
Affected products
2- total.js/total.jsdescription
Patches
1b3f901561d66Fixed `U.set()` by adding check for `Prototype pollution`.
1 file changed · +4 −0
utils.js+4 −0 modified@@ -6621,6 +6621,10 @@ exports.set = function(obj, path, value) { var v = arr[arr.length - 1]; var ispush = v.lastIndexOf('[]') !== -1; var a = builder.join(';') + ';var v=typeof(a)===\'function\'?a(U.get(b)):a;w' + (v[0] === '[' ? '' : '.') + (ispush ? v.replace(REGREPLACEARR, '.push(v)') : (v + '=v')) + ';return v'; + + if ((/__proto__|constructor|prototype/).test(a)) + throw new Error('Prototype pollution'); + var fn = new Function('w', 'a', 'b', a); F.temporary.other[cachekey] = fn; fn(obj, value, path);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-6cf8-qhqj-vjqmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28495ghsaADVISORY
- docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.setghsax_refsource_MISCWEB
- github.com/totaljs/framework/blob/master/utils.js%23L6606ghsax_refsource_MISCWEB
- github.com/totaljs/framework/blob/master/utils.js%23L6617ghsax_refsource_MISCWEB
- github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ffghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-TOTALJS-1046671ghsax_refsource_MISCWEB
- www.npmjs.com/package/total.jsghsaWEB
News mentions
0No linked articles in our index yet.