Critical severityOSV Advisory· Published Aug 18, 2020· Updated Sep 16, 2024
Prototype Pollution
CVE-2020-7708
Description
The package irrelon-path before 4.7.0; the package @irrelon/path before 4.7.0 are vulnerable to Prototype Pollution via the set, unSet, pushVal and pullVal functions.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
irrelon-pathnpm | < 4.7.0 | 4.7.0 |
@irrelon/pathnpm | < 4.7.0 | 4.7.0 |
Affected products
1Patches
18a126b160c1aFixed functions with prototype pollution vulnerability
3 files changed · +40 −9
dist/Path.js+16 −4 modified@@ -451,6 +451,8 @@ var set = function set(obj, path, val) { if (isNonCompositePath(internalPath)) { + // Do not allow prototype pollution + if (internalPath === "__proto__") return obj; obj = decouple(obj, options); obj[options.transformKey(unEscape(internalPath))] = val; return obj; @@ -459,7 +461,9 @@ var set = function set(obj, path, val) { var newObj = decouple(obj, options); var pathParts = split(internalPath); var pathPart = pathParts.shift(); - var transformedPathPart = options.transformKey(pathPart); + var transformedPathPart = options.transformKey(pathPart); // Do not allow prototype pollution + + if (transformedPathPart === "__proto__") return obj; var childPart = newObj[transformedPathPart]; if ((0, _typeof2["default"])(childPart) !== "object") { @@ -519,8 +523,12 @@ var unSet = function unSet(obj, path) { var newObj = decouple(obj, options); // Path has no dot-notation, set key/value if (isNonCompositePath(internalPath)) { - if (newObj.hasOwnProperty(unEscape(internalPath))) { - delete newObj[options.transformKey(unEscape(internalPath))]; + var unescapedPath = unEscape(internalPath); // Do not allow prototype pollution + + if (unescapedPath === "__proto__") return obj; + + if (newObj.hasOwnProperty(unescapedPath)) { + delete newObj[options.transformKey(unescapedPath)]; return newObj; } @@ -530,7 +538,9 @@ var unSet = function unSet(obj, path) { var pathParts = split(internalPath); var pathPart = pathParts.shift(); - var transformedPathPart = options.transformKey(unEscape(pathPart)); + var transformedPathPart = options.transformKey(unEscape(pathPart)); // Do not allow prototype pollution + + if (transformedPathPart === "__proto__") return obj; var childPart = newObj[transformedPathPart]; if (!childPart) { @@ -618,6 +628,7 @@ var pushVal = function pushVal(obj, path, val) { path = clean(path); var pathParts = split(path); var part = pathParts.shift(); + if (part === "__proto__") return obj; if (pathParts.length) { // Generate the path part in the object if it does not already exist @@ -671,6 +682,7 @@ var pullVal = function pullVal(obj, path, val) { path = clean(path); var pathParts = split(path); var part = pathParts.shift(); + if (part === "__proto__") return obj; if (pathParts.length) { // Generate the path part in the object if it does not already exist
package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@irrelon/path", - "version": "4.6.8", + "version": "4.7.0", "description": "A powerful JSON path processor. Allows you to drill into and manipulate JSON objects with a simple dot-delimited path format e.g. \"obj.name\".", "main": "./src/Path.js", "scripts": {
src/Path.js+23 −4 modified@@ -400,6 +400,9 @@ const set = (obj, path, val, options = {}) => { // Path has no dot-notation, set key/value if (isNonCompositePath(internalPath)) { + // Do not allow prototype pollution + if (internalPath === "__proto__") return obj; + obj = decouple(obj, options); obj[options.transformKey(unEscape(internalPath))] = val; return obj; @@ -409,6 +412,10 @@ const set = (obj, path, val, options = {}) => { const pathParts = split(internalPath); const pathPart = pathParts.shift(); const transformedPathPart = options.transformKey(pathPart); + + // Do not allow prototype pollution + if (transformedPathPart === "__proto__") return obj; + let childPart = newObj[transformedPathPart]; if (typeof childPart !== "object") { @@ -470,19 +477,27 @@ const unSet = (obj, path, options = {}, tracking = {}) => { // Path has no dot-notation, set key/value if (isNonCompositePath(internalPath)) { - if (newObj.hasOwnProperty(unEscape(internalPath))) { - delete newObj[options.transformKey(unEscape(internalPath))]; + const unescapedPath = unEscape(internalPath); + + // Do not allow prototype pollution + if (unescapedPath === "__proto__") return obj; + + if (newObj.hasOwnProperty(unescapedPath)) { + delete newObj[options.transformKey(unescapedPath)]; return newObj; } tracking.returnOriginal = true; return obj; } - const pathParts = split(internalPath); const pathPart = pathParts.shift(); const transformedPathPart = options.transformKey(unEscape(pathPart)); + + // Do not allow prototype pollution + if (transformedPathPart === "__proto__") return obj; + let childPart = newObj[transformedPathPart]; if (!childPart) { @@ -563,7 +578,9 @@ const pushVal = (obj, path, val, options = {}) => { const pathParts = split(path); const part = pathParts.shift(); - + + if (part === "__proto__") return obj; + if (pathParts.length) { // Generate the path part in the object if it does not already exist obj[part] = decouple(obj[part], options) || {}; @@ -613,6 +630,8 @@ const pullVal = (obj, path, val, options = {strict: true}) => { const pathParts = split(path); const part = pathParts.shift(); + + if (part === "__proto__") return obj; if (pathParts.length) { // Generate the path part in the object if it does not already exist
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-j7cg-h9v9-6vqpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7708ghsaADVISORY
- github.com/Irrelon/irrelon-path/commit/8a126b160c1a854ae511659c111413ad9910ebe3ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-IRRELONPATH-598672ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-IRRELONPATH-598673ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.