CVE-2020-7644
Description
CVE-2020-7644 is a Prototype Pollution vulnerability in fun-map through 3.3.1 that allows attackers to add or modify Object.prototype properties via a crafted '__proto__' payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2020-7644 is a Prototype Pollution vulnerability in fun-map through 3.3.1 that allows attackers to add or modify Object.prototype properties via a crafted '__proto__' payload.
Vulnerability
Overview
CVE-2020-7644 is a Prototype Pollution vulnerability discovered in the JavaScript package fun-map up to version 3.3.1. The flaw resides in the assocInM function, which does not properly sanitize object keys containing __proto__. This allows an attacker to inject arbitrary properties into Object.prototype, polluting the prototype chain of all objects in the runtime [1][2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious object with a __proto__ property that contains attacker-controlled nested properties. When the assocInM function processes this input, it merges the __proto__ payload into the global object prototype. No authentication is required if the application processes unsanitized user input through this function. The attack requires the application to use the vulnerable assocInM function on user-supplied data, which is a common pattern in recursive merge or deep assign operations [1][2].
Impact
Successful exploitation grants the attacker the ability to globally modify the behavior of all objects in the JavaScript runtime. This can lead to denial of service (DoS) by overriding critical methods, property injection that alters application logic, or even remote code execution in some environments if combined with other gadget chains. The impact is amplified because prototype pollution can affect all objects, not just those directly processed [1].
Mitigation
The package maintainer released a fix in version 3.4.0 (post-fix) that sanitizes keys to prevent __proto__ from being set. Users should upgrade to version 3.4.0 or later. If immediate upgrade is not possible, the workaround is to avoid using assocInM with untrusted input or to manually filter out __proto__ keys before processing [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fun-mapnpm | <= 3.3.1 | — |
Affected products
2- fun-map/fun-mapdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation in the `assocInM` function allows `__proto__` keys to modify `Object.prototype`."
Attack vector
An attacker can supply a `__proto__` key as part of the path argument to `assocInM`, causing the library to add or modify properties on `Object.prototype`. This is a classic Prototype Pollution attack [CWE-1321] that can lead to unexpected behavior across the application. The payload is delivered through the key path parameter, which is not sanitized or validated before being used to traverse and set nested object properties [ref_id=1].
Affected code
The vulnerability resides in the `assocInM` function in `index.js` (line 137) of the fun-map library through version 3.3.1. The function fails to prevent prototype property manipulation when processing user-supplied keys.
What the fix does
The advisory does not include a published patch diff. The recommended mitigation is to upgrade to a version beyond 3.3.1 or apply a workaround that blocks `__proto__` keys before they reach `assocInM`. Without a patch, developers must manually sanitize key paths to reject prototype-related property names.
Preconditions
- inputThe application must use the fun-map library's `assocInM` function with attacker-controlled key paths.
- authNo authentication is required; the attacker only needs to supply a crafted key path containing `__proto__`.
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-p33m-7w7f-gmj8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7644ghsaADVISORY
- github.com/nathan7/fun-map/blob/master/index.jsmitrex_refsource_MISC
- github.com/nathan7/fun-map/blob/master/index.jsghsaWEB
- snyk.io/vuln/SNYK-JS-FUNMAP-564436ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.