Prototype Pollution
Description
All versions of package arr-flatten-unflatten are vulnerable to Prototype Pollution via the constructor.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2020-7713 is a Prototype Pollution vulnerability in the `arr-flatten-unflatten` npm package, allowing attackers to inject arbitrary properties into Object.prototype.
Vulnerability
Overview
CVE-2020-7713 is a Prototype Pollution vulnerability in the npm package arr-flatten-unflatten. The issue exists in the constructor of the package, which allows an attacker to pollute the global Object.prototype by injecting properties through specially crafted input [1]. Prototype Pollution is a JavaScript vulnerability that occurs when properties like __proto__, constructor, or prototype can be modified, leading to inheritance of those properties across all objects in the application [3].
Exploitation and
Attack Surface
The attack can be executed by passing a malicious object to the unflatten function. For example, calling unflatten({'__proto__[polluted]': 'Yes! Its Polluted'}) modifies the __proto__ of the base object, thereby setting polluted on Object.prototype [4]. This action does not require authentication or special privileges, as it can be triggered by any input processed by the vulnerable function. The package is typically used in Node.js environments, making any application that uses arr-flatten-unflatten with untrusted data susceptible.
Impact
Successful exploitation can lead to several severe outcomes. It may cause denial of service by triggering JavaScript exceptions, or it can tamper with the application's source code to force code paths injected by the attacker, potentially resulting in remote code execution [3]. The pollution of Object.prototype affects all objects within the application, creating a widespread security risk.
Mitigation
The vulnerability affects all versions of the arr-flatten-unflatten package. A fix was implemented by the maintainer in response to a security report, which prevents modification of the object prototype [1][4]. The fix is available in the repository and should be applied by updating to the patched version. Users are strongly advised to update immediately, as the vulnerability is listed as a known security issue.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
arr-flatten-unflattennpm | <= 1.1.4 | — |
Affected products
3- arr-flatten-unflatten/arr-flatten-unflattendescription
Patches
1cb4351c75f87Merge pull request #8 from 418sec/1-npm-arr-flatten-unflatten
1 file changed · +2 −0
unflatten.js+2 −0 modified@@ -10,6 +10,8 @@ function unflatten(obj = {}) { let m = {}; while ((m = regex.exec(p))) { + if (curr[prop] === constructor.prototype) + curr[prop] = {} curr = curr[prop] || (curr[prop] = m[2] ? [] : {}); prop = m[2] || m[1]; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-w8f3-pvx4-4c3hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7713ghsaADVISORY
- github.com/Quernest/arr-flatten-unflatten/commit/cb4351c75f87a4fbec3b6140c40ee2993f574372ghsaWEB
- github.com/Quernest/arr-flatten-unflatten/pull/8ghsaWEB
- snyk.io/vuln/SNYK-JS-ARRFLATTENUNFLATTEN-598396ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.