VYPR
← All advisories
High severityOSV Advisory· Published Sep 1, 2020· Updated Sep 16, 2024

Prototype Pollution

CVE-2020-7720

Description

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function, allowing attackers to inject properties into the Object prototype.

Vulnerability

Overview

The node-forge library prior to version 0.10.0 contains a Prototype Pollution vulnerability in the util.setPath function. The function does not properly validate or sanitize the keys used to set nested properties, allowing an attacker to manipulate the __proto__ or constructor.prototype properties. This flaw enables the injection of arbitrary properties into the global Object prototype, which can affect the behavior of all objects in the application [1][4].

Exploitation

Conditions

An attacker can exploit this vulnerability by supplying a crafted path string to util.setPath that includes prototype-polluting keys. The attack requires that the application passes user-controlled input to this function without prior sanitization. No authentication or special network position is necessary if the function is exposed to untrusted data, making the attack surface broad in applications that process external input [4].

Impact

Successful exploitation allows an attacker to pollute the Object prototype, leading to property injection across the application. This can result in denial of service, privilege escalation, or arbitrary code execution depending on how the injected properties are used by the application. The impact is amplified because prototype pollution can bypass security checks and alter the behavior of objects globally [4].

Mitigation

The vulnerability is fixed in version 0.10.0, which is a breaking change that removes the vulnerable util.setPath function entirely. Users are strongly advised to upgrade to 0.10.0 or later. No official workaround is provided, but applications can mitigate the risk by avoiding the use of util.setPath with untrusted input or by implementing input validation [1][4].

References
  1. GitHub - digitalbazaar/forge: A native implementation of TLS in Javascript and tools to write crypto-based and network-heavy webapps
  2. NVD - CVE-2020-7720

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
node-forgenpm
< 0.10.00.10.0

Affected products

2

Patches

1
6a1e3ef74f6e

Remove object path functions.

https://github.com/digitalbazaar/forgeDavid I. LehnSep 2, 2020via ghsa
commit
3 files changed · +13 100
  • CHANGELOG.md+13 2 modified
    @@ -1,10 +1,21 @@
 Forge ChangeLog
 ===============
 
+### Changed
 - **BREAKING**: Node.js 4 no longer supported. The code *may* still work, and
   non-invasive patches to keep it working will be considered. However, more
-  modern tools no longer support very old Node.js versions making testing
-  difficult.
+  modern tools no longer support old Node.js versions making testing difficult.
+
+### Removed
+- **BREAKING**: Remove `util.getPath`, `util.setPath`, and `util.deletePath`.
+  `util.setPath` had a potential prototype pollution security issue when used
+  with unsafe inputs. These functions are not used by `forge` itself. They date
+  from an early time when `forge` was targeted at providing general helper
+  functions. The library direction changed to be more focused on cryptography.
+  Many other excellent libraries are more suitable for general utilities. If
+  you need a replacement for these functions, consier `get`, `set`, and `unset`
+  from [lodash](https://lodash.com/). But also consider the potential similar
+  security issues with those APIs.
 
 ## 0.9.2 - 2019-09-01
  • lib/util.js+0 96 modified
    @@ -2513,102 +2513,6 @@ util.makeLink = function(path, query, fragment) {
     ((fragment.length > 0) ? ('#' + fragment) : '');
 };
 
-/**
- * Follows a path of keys deep into an object hierarchy and set a value.
- * If a key does not exist or it's value is not an object, create an
- * object in it's place. This can be destructive to a object tree if
- * leaf nodes are given as non-final path keys.
- * Used to avoid exceptions from missing parts of the path.
- *
- * SECURITY NOTE: Do not use unsafe inputs. Doing so could expose a prototype
- * pollution security issue.
- *
- * @param object the starting object.
- * @param keys an array of string keys.
- * @param value the value to set.
- */
-util.setPath = function(object, keys, value) {
-  // need to start at an object
-  if(typeof(object) === 'object' && object !== null) {
-    var i = 0;
-    var len = keys.length;
-    while(i < len) {
-      var next = keys[i++];
-      if(i == len) {
-        // last
-        object[next] = value;
-      } else {
-        // more
-        var hasNext = (next in object);
-        if(!hasNext ||
-          (hasNext && typeof(object[next]) !== 'object') ||
-          (hasNext && object[next] === null)) {
-          object[next] = {};
-        }
-        object = object[next];
-      }
-    }
-  }
-};
-
-/**
- * Follows a path of keys deep into an object hierarchy and return a value.
- * If a key does not exist, create an object in it's place.
- * Used to avoid exceptions from missing parts of the path.
- *
- * @param object the starting object.
- * @param keys an array of string keys.
- * @param _default value to return if path not found.
- *
- * @return the value at the path if found, else default if given, else
- *         undefined.
- */
-util.getPath = function(object, keys, _default) {
-  var i = 0;
-  var len = keys.length;
-  var hasNext = true;
-  while(hasNext && i < len &&
-    typeof(object) === 'object' && object !== null) {
-    var next = keys[i++];
-    hasNext = next in object;
-    if(hasNext) {
-      object = object[next];
-    }
-  }
-  return (hasNext ? object : _default);
-};
-
-/**
- * Follow a path of keys deep into an object hierarchy and delete the
- * last one. If a key does not exist, do nothing.
- * Used to avoid exceptions from missing parts of the path.
- *
- * @param object the starting object.
- * @param keys an array of string keys.
- */
-util.deletePath = function(object, keys) {
-  // need to start at an object
-  if(typeof(object) === 'object' && object !== null) {
-    var i = 0;
-    var len = keys.length;
-    while(i < len) {
-      var next = keys[i++];
-      if(i == len) {
-        // last
-        delete object[next];
-      } else {
-        // more
-        if(!(next in object) ||
-          (typeof(object[next]) !== 'object') ||
-          (object[next] === null)) {
-           break;
-        }
-        object = object[next];
-      }
-    }
-  }
-};
-
 /**
  * Check if an object is empty.
  *
  • README.md+0 2 modified
    @@ -2035,8 +2035,6 @@ When using this code please keep the following in mind:
 - Certain features in this library are less susceptible to attacks depending on
   usage. This primarily includes features that deal with data format
   manipulation or those that are not involved in communication.
-- Do not pass unsafe inputs to `util.setPath`. Doing so could expose a
-  prototype pollution security issue.
 
 Library Background
 ------------------

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.