VYPR
← All advisories
Critical severityGHSA Advisory· Published Sep 1, 2020· Updated Sep 16, 2024

Prototype Pollution

CVE-2020-7722

Description

nodee-utils deepSet function allows prototype pollution via __proto__ or prototype keys, leading to potential remote code execution or denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

nodee-utils deepSet function allows prototype pollution via __proto__ or prototype keys, leading to potential remote code execution or denial of service.

The deepSet function in the nodee-utils package is vulnerable to prototype pollution because it does not sanitize keys such as __proto__ or prototype when setting properties on objects [1][2]. This allows an attacker to inject properties into the base Object.prototype, affecting all JavaScript objects in the application.

An attacker can exploit this by supplying a crafted object containing __proto__ or prototype keys to the deepSet function. If the function processes user-controlled input without proper validation, the attacker can pollute the prototype chain. This is a classic property definition by path attack [2].

Successful prototype pollution can lead to denial of service by triggering JavaScript exceptions, or it can tamper with application logic to force code paths that may result in remote code execution [2]. The impact depends on how the polluted properties are used by the application.

The vulnerability was fixed in version 1.2.3 of nodee-utils. The fix adds a check that throws an error if the key is prototype or __proto__, preventing the pollution [3]. Users should update to the latest version to mitigate the risk.

References
  1. NVD - CVE-2020-7722
  2. Snyk Vulnerability Database | Snyk
  3. fixed: object deepSet · nodee-apps/utils@52460d9

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nodee-utilsnpm
< 1.2.31.2.3

Affected products

2

Patches

1
52460d936c52

fixed: object deepSet

https://github.com/nodee-apps/utilsMatus SzaboOct 5, 2020via ghsa
commit
2 files changed · +4 2
  • lib/object.js+3 1 modified
    @@ -205,11 +205,13 @@ function deepSet(parent, key, value, mode) {
     }
     else {
         for(var i=0; i<parts.length; i++) {
+            if(parts[i] === 'prototype' || parts[i] === '__proto__') throw new Error('Cannot use deepSet to override prototype !');
+
             if(i >= parts.length-1) {
                 if(mode==='push') current[parts[i]].push(value);
                 else current[parts[i]] = value;
             }
-            else current[parts[i]] = current[parts[i]] || {};    
+            else current[parts[i]] = current[parts[i]] || {};
             current = current[parts[i]];
         }
     }
  • package.json+1 1 modified
    @@ -1,7 +1,7 @@
 {
   "name": "nodee-utils",
   "preferGlobal": false,
-  "version": "1.2.2",
+  "version": "1.2.3",
   "author": "NODEE - Matus Szabo <matus@nodee.io>",
   "description": "set of useful helpers",
   "main": "./index.js",

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.