Prototype pollution in dojo
Description
Prototype Pollution vulnerability in dojo's deepCopy method allows attackers to inject properties into JavaScript object prototypes, patched in versions 1.12.8+.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype Pollution vulnerability in dojo's deepCopy method allows attackers to inject properties into JavaScript object prototypes, patched in versions 1.12.8+.
CVE-2020-5258 is a Prototype Pollution vulnerability in the dojo JavaScript toolkit (NPM package), specifically in the deepCopy method. Prototype Pollution occurs when an attacker can inject properties into existing JavaScript object prototypes, allowing them to overwrite or pollute the base object prototype [1][3]. The root cause is that deepCopy does not sanitize the __proto__ property, enabling the malicious payload to propagate.
To exploit this vulnerability, an attacker supplies a crafted JSON object containing a __proto__ property with a malicious payload. When deepCopy processes this object, it copies the __proto__ property into the prototype chain of the target object, effectively polluting all objects in the application [3]. The attack requires the ability to pass malicious input to the deepCopy method, but no authentication is needed if the input originates from an untrusted source.
Successful exploitation allows the attacker to add arbitrary properties to the global Object.prototype. This can lead to unexpected behavior in the application, such as bypassing security checks, property overwrites, or denial of service, depending on how the polluted properties are used [1]. The impact is broad because the pollution affects all objects that inherit from the polluted prototype.
This vulnerability has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3, and 1.16.2, as well as in the earlier 1.11.10 release [1][3][4]. Users should upgrade to a patched version immediately. There is no workaround short of patching, as the fix specifically sanitizes the __proto__ property during deep copy operations [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dojonpm | < 1.11.10 | 1.11.10 |
dojonpm | >= 1.12.0, < 1.12.8 | 1.12.8 |
dojonpm | >= 1.13.0, < 1.13.7 | 1.13.7 |
dojonpm | >= 1.14.0, < 1.14.6 | 1.14.6 |
dojonpm | >= 1.15.0, < 1.15.3 | 1.15.3 |
dojonpm | >= 1.16.0, < 1.16.2 | 1.16.2 |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/mysql-8.0pkg:apk/chainguard/mysql-8.0-bitnami-compatpkg:apk/chainguard/mysql-8.0-clientpkg:apk/chainguard/mysql-8.0-devpkg:apk/chainguard/mysql-8.0-iamguarded-compatpkg:apk/chainguard/mysql-8.0-oci-entrypointpkg:apk/chainguard/mysql-8.0-oci-entrypoint-compatpkg:npm/dojo
< 8.0.38-r0+ 7 more
- (no CPE)range: < 8.0.38-r0
- (no CPE)range: < 8.0.38-r0
- (no CPE)range: < 8.0.38-r0
- (no CPE)range: < 8.0.38-r0
- (no CPE)range: < 8.0.38-r0
- (no CPE)range: < 8.0.38-r0
- (no CPE)range: < 8.0.38-r0
- (no CPE)range: < 1.11.10
- Range: < 1.12.8
Patches
120a00afb68f5Merge pull request from GHSA-jxfh-8wgv-vfr2
2 files changed · +7 −1
request/util.js+1 −1 modified@@ -44,7 +44,7 @@ define([ for (var name in source) { var tval = target[name], sval = source[name]; - if (tval !== sval) { + if (name !== '__proto__' && tval !== sval) { if (shouldDeepCopy(sval)) { if (Object.prototype.toString.call(sval) === '[object Date]') { // use this date test to handle crossing frame boundaries target[name] = new Date(sval);
tests/unit/request/util.js+6 −0 modified@@ -34,6 +34,12 @@ define([ assert.equal(object1.banana.purchased.getTime(), new Date(2017, 0, 1).getTime()); }, + '.deepCopy should ignore the __proto__ property': function() { + var payload = JSON.parse('{ "__proto__": { "protoPollution": true }}'); + util.deepCopy({}, payload); + assert.isUndefined(({}).protoPollution); + }, + 'deepCopy with FormData': function(){ if (has('native-formdata')) { var formData = new FormData();
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- github.com/advisories/GHSA-jxfh-8wgv-vfr2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-5258ghsaADVISORY
- github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171dghsax_refsource_MISCWEB
- github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2ghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7a9cd78eac33a1b%40%3Cusers.qpid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7a9cd78eac33a1b@%3Cusers.qpid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b01b1a6df326fd3%40%3Cusers.qpid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b01b1a6df326fd3@%3Cusers.qpid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf481b3f25f05c52ba4e24991a941c1a6e88d281c6c9360a806554d00%40%3Cusers.qpid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf481b3f25f05c52ba4e24991a941c1a6e88d281c6c9360a806554d00@%3Cusers.qpid.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2020/03/msg00012.htmlghsamailing-listx_refsource_MLISTWEB
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.