High severityNVD Advisory· Published Dec 11, 2020· Updated Sep 17, 2024

Prototype Pollution

CVE-2020-7792

Description

The mout JavaScript package is vulnerable to Prototype Pollution via its deepFillIn and deepMixIn functions, allowing attackers to pollute Object.prototype.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The mout JavaScript package is vulnerable to Prototype Pollution via its deepFillIn and deepMixIn functions, allowing attackers to pollute Object.prototype.

The vulnerability affects all versions of the 'mout' JavaScript package. The deepFillIn and deepMixIn functions recursively merge objects without checking for special keys like __proto__, enabling Prototype Pollution [1].

An attacker can exploit this by providing a crafted JSON object containing a __proto__ property with arbitrary sub-properties. When the vulnerable functions merge this object, the properties are copied onto the global Object.prototype, polluting it [2].

Polluting Object.prototype can lead to Denial of Service (DoS) by causing unexpected JavaScript exceptions, or to Remote Code Execution (RCE) if the polluted properties alter application logic [2].

As of the publication date, all versions of mout are affected and no patch is available. Mitigation involves avoiding recursive merge on untrusted input or using an alternative library [1].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
moutnpm	< 1.2.3	1.2.3

Affected products

ghsa-coords
pkg:npm/mout
Range: < 1.2.3

Patches

3fecf1333e6d

Merge pull request #270 from 418sec/1-npm-mout

https://github.com/mout/moutMathias PaumgartenJul 15, 2021via ghsa

commit

1 file changed · +4 −0

src/object/set.js+4 −0 modified

@@ -4,6 +4,10 @@ define(['./namespace'], function (namespace) {
      * set "nested" object property
      */
     function set(obj, prop, val){
+        // prototype pollution mitigation
+        if(prop.includes('__proto__') || prop.includes('prototype') || prop.includes('constructor')) {
+            return false;
+        }
         var parts = (/^(.+)\.(.+)$/).exec(prop);
         if (parts){
             namespace(obj, parts[1])[parts[2]] = val;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-pc58-wgmc-hfjrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-7792ghsaADVISORY
github.com/mout/mout/blob/master/src/object/deepFillIn.jsghsax_refsource_MISCWEB
github.com/mout/mout/blob/master/src/object/deepMixIn.jsghsax_refsource_MISCWEB
github.com/mout/mout/commit/3fecf1333e6d71ae72edf48c71dc665e40df7605ghsaWEB
snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1050374ghsax_refsource_MISCWEB
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050373ghsax_refsource_MISCWEB
snyk.io/vuln/SNYK-JS-MOUT-1014544ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000