Prototype Pollution
Description
madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue, allowing attackers to manipulate object prototypes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via `setValue`, allowing attackers to manipulate object prototypes.
Vulnerability
Analysis
What the vulnerability is
CVE-2020-7701 is a Prototype Pollution vulnerability in the madlib-object-utils package, affecting versions before 0.1.7. The setValue function does not properly validate or sanitize path keys, allowing an attacker to inject properties like __proto__ or constructor into an object's prototype chain [1][2]. This class of vulnerability enables modification of an object's prototype, which can affect all objects of that type in the runtime. The fix in commit [2] adds checks for __proto__ and constructor keys, and introduces an isObject helper to validate object types before setting values.
How it is exploited
An attacker can exploit this by providing a crafted path argument to setValue, such as '__proto__.polluted', which sets a property on the global Object prototype. The official Snyk advisory includes a proof-of-concept: objectUtils.setValue('__proto__.polluted', {}, true); then console.log(polluted); [3]. No authentication or special privileges are required if the user of the package processes untrusted string inputs. The attack surface is any application that uses madlib-object-utils to set nested object properties based on user-controlled paths.
Impact
Successful exploitation allows an attacker to pollute the prototype, potentially leading to property injection that can bypass security checks, modify default object behavior, or enable further attacks like denial of service or remote code execution depending on how the application uses the polluted properties [1][3]. The vulnerability has a CVSS v3.1 base score of 9.8 (Critical) due to its high impact on confidentiality, integrity, and availability.
Mitigation
Users should upgrade madlib-object-utils to version 0.1.7 or higher, which includes the fix that blocks dangerous keys (__proto__, constructor) and validates object types [2][3]. There are no known workarounds; updating the package is the recommended course of action.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
madlib-object-utilsnpm | < 0.1.7 | 0.1.7 |
Affected products
2- madlib-object-utils/madlib-object-utilsdescription
Patches
12a8d5be4fddffix(set-value): prevent prototype pollution
2 files changed · +38 −3
lib/utils.js+21 −1 modified@@ -6,7 +6,12 @@ return define([], factory); } })(function() { - var getAndCreate, getValue, isArray, objectUtils, setValue; + var getAndCreate, getValue, isArray, isObject, objectUtils, setValue; + isObject = function(value) { + var type; + type = typeof value; + return value !== null && (type === 'object' || type === 'function'); + }; isArray = function(object) { if (Array.isArray != null) { return Array.isArray(object); @@ -25,6 +30,12 @@ aPath = ("" + path).split("."); value = object; key = aPath.shift(); + if (key === 'constructor' && typeof object[key] === 'function') { + return; + } + if (key === '__proto__') { + return; + } if (aPath.length === 0) { value = value[key.replace("%2E", ".")]; if (value == null) { @@ -47,9 +58,18 @@ if (object == null) { return; } + if (!isObject(object)) { + return; + } aPath = ("" + path).split("."); value = object; key = aPath.shift(); + if (key === 'constructor' && typeof object[key] === 'function') { + return object; + } + if (key === '__proto__') { + return object; + } while (key) { key = key.replace("%2E", "."); if (value[key] == null) {
src/utils.coffee+17 −2 modified@@ -5,6 +5,10 @@ define( [], factory ) )( () -> + isObject = ( value ) -> + type = typeof value + return value != null and ( type is 'object' or type is 'function' ) + isArray = ( object ) -> # This is lifted from underscore.js # Reason is that it was the only reason to add underscore to some @@ -27,6 +31,11 @@ value = object key = aPath.shift() + if key is 'constructor' and typeof object[key] is 'function' + return + if key is '__proto__' + return + if aPath.length is 0 # This is only a 1 deep check # @@ -41,15 +50,21 @@ value = if 0 is aPath.length then value else valueIfMissing - return value; + return value getAndCreate = ( path, object, defaultValue ) -> if not object? then return + if not isObject( object ) then return aPath = "#{path}".split( "." ) value = object key = aPath.shift() + if key is 'constructor' and typeof object[key] is 'function' + return object + if key is '__proto__' + return object + while key key = key.replace( "%2E", "." ) @@ -132,4 +147,4 @@ # ### setValue: setValue - ) \ No newline at end of file + )
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-jvf5-q4h5-2jmjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7701ghsaADVISORY
- github.com/Qwerios/madlib-object-utils/commit/2a8d5be4fddfe46b69fbe25b9ebdff49a54481a8ghsaWEB
- snyk.io/vuln/SNYK-JS-MADLIBOBJECTUTILS-598676ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.