VYPR
← All advisories
Critical severityNVD Advisory· Published Aug 17, 2020· Updated Sep 17, 2024

Prototype Pollution

CVE-2020-7704

Description

CVE-2020-7704 is a prototype pollution vulnerability in the npm package linux-cmdline before 1.0.1, allowing arbitrary object property injection via crafted command-line arguments.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2020-7704 is a prototype pollution vulnerability in the npm package linux-cmdline before 1.0.1, allowing arbitrary object property injection via crafted command-line arguments.

Vulnerability

Overview

The linux-cmdline npm package versions prior to 1.0.1 are vulnerable to Prototype Pollution. The vulnerability resides in the package's argument-parsing logic, which recursively merges user-supplied command-line arguments into an internal object without sanitizing key properties such as __proto__ or constructor [1][2]. This allows an attacker to inject arbitrary properties into the Object prototype of the JavaScript runtime, affecting all objects in the application.

Attack

Vector and Prerequisites

To exploit this vulnerability, an attacker must be able to supply crafted command-line arguments to an application that uses the linux-cmdline parser. The attack does not require authentication if the application accepts user-controlled command-line input (e.g., through a cloud function, a build tool, or a config file parser). The parser, as shown in the commit fixing the issue [4], iterates over key paths and assigns values to nested objects without checking if properties like __proto__ are being overwritten in the prototype chain [3]. The dangerous code path allowed __proto__.polluted=foo to set {}.polluted globally [4].

Impact

Successful exploitation leads to Prototype Pollution, which can result in: - Denial of Service (DoS) by causing JavaScript exceptions when polluted properties trigger unexpected behavior. - Tampering of application logic, potentially leading to remote code execution (RCE) if the polluted property influences control flow or security checks [2].

Mitigation

The vulnerability was fixed in version 1.0.1 of linux-cmdline. The fix introduces proper key handling: the parser now checks for __proto__ at each nesting level and creates new objects only when necessary, preventing pollution of the global prototype [4]. Users should upgrade to 1.0.1 or later. There is no known workaround short of upgrading.

References
  1. NVD - CVE-2020-7704
  2. Snyk Vulnerability Database | Snyk
  3. GitHub - piranna/linux-cmdline: Parser for the Linux kernel command line arguments
  4. [fix] Don't pollute prototype · piranna/linux-cmdline@53c61a8

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
linux-cmdlinenpm
< 1.0.11.0.1

Affected products

2

Patches

1
53c61a88bc47

[fix] Don't pollute prototype

https://github.com/piranna/linux-cmdlineJesús Leganés-Combarro 'pirannaAug 14, 2020via ghsa
commit
2 files changed · +37 12
  • index.js+22 12 modified
    @@ -5,17 +5,6 @@ function reducer(result, arg)
   // Get key node
   const keypath = arg.shift().split('.')
 
-  let key = keypath.shift()
-  let node = result
-
-  while(keypath.length)
-  {
-    node[key] = node[key] || {}
-    node = node[key]
-
-    key = keypath.shift()
-  }
-
   // Get value
   let val = true
   if(arg.length)
@@ -24,8 +13,29 @@ function reducer(result, arg)
     if(val.length === 1) val = val[0]
   }
 
+  let key = keypath.shift()
+
+  if(!keypath.length) return {...result, [key]: val}
+
+  if(!result.hasOwnProperty(key)) result = {...result, [key]: {}}
+
+  let newKey
+  let newNode
+  let node = result
+
+  while(true)
+  {
+    newKey = keypath.shift()
+    newNode = node[key]
+
+    if(!keypath.length) break
+
+    node = node[key] = {...newNode, [newKey]: newNode[newKey] || {}}
+    key = newKey
+  }
+
   // Store value
-  node[key] = val
+  node[key] = {...newNode, [newKey]: val}
 
   return result
 }
  • test.js+15 0 modified
    @@ -19,3 +19,18 @@ const expected =
 const result = linuxCmdline(cmdline)
 
 deepStrictEqual(result, expected)
+
+
+// Don't pollute prototype
+const result2 = linuxCmdline('__proto__.polluted=foo')
+const expected2 =
+{
+  ['__proto__']:
+  {
+    polluted: 'foo'
+  }
+}
+
+deepStrictEqual(result2, expected2)
+
+deepStrictEqual({}.__proto__.polluted, undefined)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.