VYPR
← All advisories
Critical severityNVD Advisory· Published Nov 12, 2020· Updated Sep 16, 2024

Prototype Pollution

CVE-2020-7770

Description

CVE-2020-7770 is a prototype pollution vulnerability in the json8 package (versions < 1.0.3) via improper key validation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2020-7770 is a prototype pollution vulnerability in the json8 package (versions < 1.0.3) via improper key validation.

Vulnerability

Description

CVE-2020-7770 affects the json8 package before version 1.0.3. The vulnerability exists in the apply function, which merges properties from a patch object into a target object. The function does not properly validate the key being set, allowing an attacker to set properties on __proto__ or constructor.prototype, leading to prototype pollution [1][3].

Exploitation

An attacker can exploit this by supplying a specially crafted patch object that includes keys like __proto__ or constructor. Since the apply function lacks a check for these dangerous keys (before version 1.0.3), it will traverse and set properties on the object's prototype chain. This attack does not require authentication if the vulnerable component is exposed to untrusted input [2][3].

Impact

Successful exploitation allows an attacker to pollute the Object.prototype with arbitrary properties. This can lead to denial of service (via overriding default properties that cause exceptions) or bypass security controls, and in some contexts, may enable remote code execution if the polluted properties affect code paths that rely on object properties [3].

Mitigation

The vulnerability is fixed in json8 version 1.0.3. The fix introduces an optional {pollute: false} parameter; by default, setting __proto__ now throws an error unless explicitly allowed [2]. Users should update to version 1.0.3 or later. No known public exploit code has been reported, but prototype pollution is a well-known technique [3].

References
  1. NVD - CVE-2020-7770
  2. json8-merge-patch: Prevent prototype pollution 2 (#116) · sonnyp/JSON8@2e89026
  3. Snyk Vulnerability Database | Snyk

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
json8npm
< 1.0.31.0.3

Affected products

2

Patches

1
2e890261b66c

json8-merge-patch: Prevent prototype pollution 2 (#116)

https://github.com/sonnyp/JSON8Sonny PiersSep 13, 2020via ghsa
commit
3 files changed · +37 19
  • packages/merge-patch/lib/apply.js+13 5 modified
    @@ -5,21 +5,29 @@ const OBJECT = "object";
 /**
  * Apply a JSON merge patch onto a document
  * https://tools.ietf.org/html/rfc7396
- * @param  {Object} doc    - JSON object document
- * @param  {Object} patch  - JSON object patch
- * @return {Object}        - JSON object document
+ * @param  {Object}  doc                       - JSON object document
+ * @param  {Object}  patch                     - JSON object patch
+ * @param  {Object}  [options]                 - options
+ * @param  {Boolean} [options.pollute=false]   - Allow prototype pollution - throw otherwise
+ * @param  {Object}  [options.proto=null]      - Prototype to use for object creation
+ * @return {Object}                            - JSON object document
  */
-module.exports = function apply(doc, patch) {
+module.exports = function apply(doc, patch, options) {
   if (typeof patch !== OBJECT || patch === null || Array.isArray(patch)) {
     return patch;
   }
 
+  options = options || Object.create(null);
+
   if (typeof doc !== OBJECT || doc === null || Array.isArray(doc)) {
-    doc = Object.create(null);
+    doc = Object.create(options.proto || null);
   }
 
   const keys = Object.keys(patch);
   for (const key of keys) {
+    if (options.pollute !== true && key === "__proto__") {
+      throw new Error("Prototype pollution attempt");
+    }
     const v = patch[key];
     if (v === null) {
       delete doc[key];
  • packages/merge-patch/README.md+12 0 modified
    @@ -69,6 +69,18 @@ person = mergePatch.apply(person, patch)
 
 [↑](#json8-merge-patch)
 
+### object creation
+
+When needed, `apply` creates objects with `null` prototype, you can choose the prototype to use with `{proto: Object}` as a third argument.
+
+[↑](#json8-merge-patch)
+
+### prototype pollution
+
+`apply` will throw with an error if [prototype pollution](https://github.com/HoLyVieR/prototype-pollution-nsec18) is attempted. You can allow for prototype pollution by passing `{pollute: true}` as a third argument.
+
+[↑](#json8-merge-patch)
+
 ### patch
 
 Alias for [apply](#apply) method.
  • packages/merge-patch/test/apply.js+12 14 modified
    @@ -51,23 +51,21 @@ describe("apply", () => {
     assert.deepEqual(doc, {});
   });
 
-  // https://github.com/lodash/lodash/pull/4337
+  // https://github.com/sonnyp/JSON8/issues/113
+  // https://github.com/HoLyVieR/prototype-pollution-nsec18
   it("prevents prototype pollution", () => {
     let doc = {};
-    const patch = { __proto__: { foobar: true } };
-    doc = apply(doc, patch);
+    const patch = JSON.parse('{ "__proto__": { "isAdmin": true }}');
 
-    assert.deepEqual(doc, {});
-  });
+    assert.throws(
+      () => {
+        doc = apply(doc, patch);
+      },
+      Error,
+      "Prototype pollution attempt"
+    );
 
-  // https://github.com/lodash/lodash/pull/4336
-  it("prevents constructor pollution", () => {
-    let doc = {};
-
-    const patch = { constructor: { foo: "bar" } };
-    doc = apply(doc, patch);
-    assert.equal("foo" in Object, false);
-    assert.equal(Object.foo, undefined);
-    assert.deepEqual(doc, patch);
+    assert.equal(doc.isAdmin, undefined);
+    assert.equal("isAdmin" in doc, false);
   });
 });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.