Prototype Pollution

Vulnerability

Overview

CVE-2020-7714 is a prototype pollution vulnerability affecting all versions of the confucious npm package. The flaw exists in the package's set function, which allows an attacker to inject properties into the global Object.prototype by manipulating the __proto__ property [1][2]. This is a classic example of the 'Property definition by path' attack vector described by Snyk [2].

Attack

Vector and Prerequisites

The attacker exploits the set function by supplying a crafted object with a __proto__ key. When the library processes this input, it traverses the property path and assigns values, polluting the base prototype [2]. No authentication is required if the application exposes this function to user-controlled data (e.g., via JSON parsing or query parameters). The attack requires that the Node.js application using confucious passes untrusted data to the vulnerable set call.

Impact

Successful exploitation leads to prototype pollution, which can have severe consequences [2]. By polluting Object.prototype, the attacker can modify default properties of all JavaScript objects in the runtime. This can result in denial of service (by causing JavaScript exceptions), security control bypasses, and potentially remote code execution if the polluted property influences application logic (e.g., changing a default property that controls code execution). The exact impact depends on how the host application uses objects.

Mitigation

As of September 2020, when this CVE was published, no patch has been released for the confucious package [1]. Users should consider migrating to an alternative, actively maintained library, or implement input sanitization to prevent __proto__ keys from reaching the set function [2]. Organizations should assess their exposure based on dependency usage.