CVE-2020-7618

Vulnerability

Overview

CVE-2020-7618 affects the sds npm package through version 3.2.0. The library's set function, located in js/set.js, is vulnerable to Prototype Pollution. An attacker can exploit this by crafting input that manipulates Object.prototype, leading to the addition or modification of properties on all objects [1][2].

Exploitation

To exploit the vulnerability, an attacker must supply a specially crafted object that, when processed by the set function, pollutes the prototype chain. No authentication is required if the library is used in a client-side or server-side context where user input is passed to the vulnerable function [2][3].

Impact

Successful exploitation allows an attacker to inject properties into the global object prototype, potentially leading to denial of service, property injection, or other unexpected behaviors depending on the application's use of the polluted properties.

Mitigation

Users should upgrade to a patched version of sds if available. As of the publication date, version 3.2.0 is the latest affected; no patch may exist if the library is unmaintained. Reviewing and sanitizing inputs to the set function is recommended as a workaround [1].