VYPR
← All advisories
High severityNVD Advisory· Published Sep 1, 2020· Updated Sep 16, 2024

Prototype Pollution

CVE-2020-7715

Description

All versions of package deep-get-set are vulnerable to Prototype Pollution via the main function.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype Pollution in deep-get-set allows attackers to inject arbitrary properties into Object.prototype, potentially leading to denial of service or remote code execution.

Vulnerability

Overview The deep-get-set package is vulnerable to Prototype Pollution via its main function. This JavaScript library lacks proper sanitization of user-controlled property paths, allowing an attacker to set properties on __proto__, prototype, or constructor. By polluting Object.prototype, arbitrary properties are inherited by all objects in the application, which can alter application logic or cause exceptions [1][2].

Attack

Vector An attacker can exploit this vulnerability by passing crafted property paths to the library's get/set functions. The attack does not require authentication beyond being able to supply input to a function that uses deep-get-set. The vulnerability is classified as Prototype Pollution, a common issue in JavaScript runtime environments. Successful exploitation requires no special network position if the attacker can provide untrusted input to the library [2].

Impact

Successful exploitation can lead to denial of service (via JavaScript exceptions) or remote code execution by forcing the application into unintended code paths. Because the pollution affects the object prototype, the impact can be widespread across the application, potentially allowing complete compromise of the application's integrity [2].

Mitigation

The vulnerability affects all versions of deep-get-set. A fix has been implemented in commit a127e65bc77ff5707a6a103819e140d11475c5f4, which adds tests to ensure that __proto__, prototype, and constructor properties are not get or set. Users should update to a patched version immediately [3].

References
  1. NVD - CVE-2020-7715
  2. Snyk Vulnerability Database | Snyk
  3. Merge pull request #4 from 418sec/master · acstll/deep-get-set@a127e65

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
deep-get-setnpm
< 1.1.11.1.1

Affected products

3

Patches

1
a127e65bc77f

Merge pull request #4 from 418sec/master

https://github.com/acstll/deep-get-setArturo Castillo DelgadoNov 1, 2020via ghsa
commit
2 files changed · +55 1
  • index.js+6 1 modified
    @@ -2,6 +2,10 @@ var hasOwnProp = Object.prototype.hasOwnProperty;
 
 module.exports = deep;
 
+function isSafeKey (key) {
+  return key !== '__proto__' && key !== 'prototype' && key !== 'constructor';
+}
+
 function deep (obj, path, value) {
   if (arguments.length === 3) return set.apply(null, arguments);
   return get.apply(null, arguments);
@@ -11,7 +15,7 @@ function get (obj, path) {
   var keys = Array.isArray(path) ? path : path.split('.');
   for (var i = 0; i < keys.length; i++) {
     var key = keys[i];
-    if (!obj || !hasOwnProp.call(obj, key)) {
+    if (!obj || !hasOwnProp.call(obj, key) || !isSafeKey(key)) {
       obj = undefined;
       break;
     }
@@ -24,6 +28,7 @@ function set (obj, path, value) {
   var keys = Array.isArray(path) ? path : path.split('.');
   for (var i = 0; i < keys.length - 1; i++) {
     var key = keys[i];
+    if (!isSafeKey(key)) return;
     if (deep.p && !hasOwnProp.call(obj, key)) obj[key] = {};
     obj = obj[key];
   }
  • test.js+49 0 modified
    @@ -98,3 +98,52 @@ test('deep deletes', function (t) {
   t.equal(deep(obj, 'bar.baz.beep'), undefined);
   t.end();
 });
+
+test('do not get `__proto__`, `prototype` or `constructor` properties', function (t) {
+  var obj = {
+    isAdmin: false,
+    __proto__: {
+      isAdmin: true
+    },
+    prototype: {
+      isAdmin: true
+    },
+    constructor: {
+      isAdmin: true,
+      prototype: {
+        isAdmin: true
+      }
+    }
+  };
+
+  t.equal(deep(obj, 'isAdmin'), false);
+  t.equal(deep(obj, '__proto__.isAdmin'), undefined);
+  t.equal(deep(obj, 'prototype.isAdmin'), undefined);
+  t.equal(deep(obj, 'constructor.isAdmin'), undefined);
+  t.equal(deep(obj, 'constructor.prototype.isAdmin'), undefined);
+  t.end();
+});
+
+test('do not set `__proto__`, `prototype` or `constructor` properties', function (t) {
+  var obj = {};
+
+  deep.p = true;
+
+  deep(obj, 'isAdmin', false);
+  deep(obj, '__proto__.isAdmin', true);
+  deep(obj, 'prototype.isAdmin', true);
+  deep(obj, 'constructor.isAdmin', true);
+  deep(obj, 'constructor.prototype.isAdmin', true);
+
+  t.equal(obj.isAdmin, false);
+  t.equal(obj.__proto__ && obj.__proto__.isAdmin, undefined);
+  t.equal(obj.prototype && obj.prototype.isAdmin, undefined);
+  t.equal(obj.constructor && obj.constructor.isAdmin, undefined);
+  t.equal(
+    obj.constructor &&
+    obj.constructor.prototype &&
+    obj.constructor.prototype.isAdmin,
+    undefined
+  );
+  t.end();
+});

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.