Prototype Pollution

CVE-2020-7721 describes a Prototype Pollution vulnerability in all versions of the npm package node-oojs. The flaw exists in the setPath function, which allows an attacker to define property values on an object based on a string path. This can be abused to set properties on Object.prototype by including __proto__ or similar keys in the path.

Exploitation occurs when an attacker controls the path argument passed to the setPath function. If the application processes untrusted input through this function without proper sanitization, the attacker can pollute the base object prototype. This is a classic "property definition by path" style of Prototype Pollution.

The impact of successful exploitation includes the ability to tamper with application logic, leading to denial of service via JavaScript exceptions, or potentially remote code execution if the polluted properties alter security-sensitive code paths [1][2].

As of the publication date (2020-09-01), users should update node-oojs to a patched version if available, or apply mitigations such as sanitizing input paths. The vulnerability is tracked by Snyk under SNYK-JS-NODEOOJS-598678 [2].