Prototype Pollution

Vulnerability

Overview CVE-2020-7700 affects the phpjs npm package, a community port of PHP functions to JavaScript. The parse_str function is vulnerable to Prototype Pollution because it does not sanitize keys in the query string, allowing an attacker to set arbitrary properties on Object.prototype.

Exploitation

An attacker can exploit this by providing a crafted string such as __proto__[polluted]=true to parse_str. No authentication is required; any application that passes user-controlled input to this function is affected. The attack runs client-side or server-side (Node.js) depending on the environment.

Impact

Successful prototype pollution can lead to unexpected behavior, denial of service, or property injection. In some contexts, it may enable further attacks like remote code execution if combined with other vulnerabilities that rely on object properties.

Mitigation

As of August 2020, no patched version of phpjs exists; the package is unmaintained. The recommended mitigation is to avoid using phpjs or to sanitize input before passing it to parse_str.

References: [1] NVD - CVE-2020-7700 [2] Snyk Vulnerability Database - SNYK-JS-PHPJS-598681