CVE-2020-8116
Description
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in dot-prop npm package before 4.2.1 and 5.x before 5.1.1 allows attackers to inject arbitrary properties into object prototypes.
Vulnerability
Overview
The dot-prop npm package, which provides utility functions for getting, setting, and deleting properties on nested JavaScript objects using dot paths, contained a prototype pollution vulnerability in versions before 4.2.1 and 5.x before 5.1.1 [1][2]. The root cause was the lack of validation on path segments passed to functions like setProperty. An attacker could supply a path containing dangerous keys such as __proto__, prototype, or constructor, which when processed would modify the object's prototype chain instead of a legitimate property [3][4].
Exploitation
Exploitation does not require authentication if the application uses dot-prop to process user-controlled input, such as query parameters, JSON payloads, or path strings. An attacker can craft a request with a payload like setProperty(obj, '__proto__.polluted', true) and, because the library did not block the __proto__ segment, the property polluted would be set on Object.prototype [2][3]. This can affect all objects in the runtime that inherit from that prototype.
Impact
Successful exploitation allows an attacker to add arbitrary properties to JavaScript language constructs (objects) globally [1]. This can lead to privilege escalation, denial of service, or remote code execution depending on the application logic that later iterates over object properties or trusts inherited values. The impact is amplified in server-side Node.js environments where a polluted prototype can affect multiple requests [2].
Mitigation
The vulnerability is fixed in dot-prop versions 4.2.1 and 5.1.1. The fix introduces a disallowed list of key segments (__proto__, prototype, constructor) and a validation function isValidPath that returns an empty array for paths containing any of these keys, preventing both get and set operations [3][4]. Users should update to the patched versions immediately. No workaround is available for unpatched versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dot-propnpm | < 4.2.1 | 4.2.1 |
dot-propnpm | >= 5.0.0, < 5.1.1 | 5.1.1 |
Affected products
4- dot-prop/dot-propdescription
- ghsa-coords3 versions
< 4.2.1+ 2 more
- (no CPE)range: < 4.2.1
- (no CPE)range: < 1.18.3-1.module_el8.3.0+2023+d2377ea3
- (no CPE)range: < 17-3.module_el8.4.0+2224+b07ac28e
Patches
2c914124f418ffeat: patch 4.2.0 with fixes for CVE-2020-8116
5 files changed · +32 −5
bench.js+1 −1 modified@@ -1,6 +1,6 @@ 'use strict'; /* globals bench */ -const m = require('./'); +const m = require('.'); bench('get', () => { const f1 = {foo: {bar: 1}};
index.js+18 −0 modified@@ -1,6 +1,14 @@ 'use strict'; const isObj = require('is-obj'); +const disallowedKeys = [ + '__proto__', + 'prototype', + 'constructor' +]; + +const isValidPath = pathSegments => !pathSegments.some(segment => disallowedKeys.includes(segment)); + function getPathSegments(path) { const pathArr = path.split('.'); const parts = []; @@ -16,6 +24,10 @@ function getPathSegments(path) { parts.push(p); } + if (!isValidPath(parts)) { + return []; + } + return parts; } @@ -26,6 +38,9 @@ module.exports = { } const pathArr = getPathSegments(path); + if (pathArr.length === 0) { + return; + } for (let i = 0; i < pathArr.length; i++) { if (!Object.prototype.propertyIsEnumerable.call(obj, pathArr[i])) { @@ -58,6 +73,9 @@ module.exports = { const root = obj; const pathArr = getPathSegments(path); + if (pathArr.length === 0) { + return; + } for (let i = 0; i < pathArr.length; i++) { const p = pathArr[i];
package.json+3 −3 modified@@ -1,6 +1,6 @@ { "name": "dot-prop", - "version": "4.2.0", + "version": "4.2.1", "description": "Get, set, or delete a property from a nested object using a dot path", "license": "MIT", "repository": "sindresorhus/dot-prop", @@ -38,9 +38,9 @@ "is-obj": "^1.0.0" }, "devDependencies": { - "ava": "*", + "ava": "1.4.1", "matcha": "^0.7.0", - "xo": "*" + "xo": "0.24.0" }, "xo": { "esnext": true
readme.md+2 −0 modified@@ -85,6 +85,8 @@ Path of the property in the object, using `.` to separate each nested key. Use `\\.` if you have a `.` in the key. +The following path components are invalid and results in `undefined` being returned: `__proto__`, `prototype`, `constructor`. + #### value Type: `any`
test.js+8 −1 modified@@ -1,5 +1,5 @@ import test from 'ava'; -import m from './'; +import m from '.'; test('get', t => { const f1 = {foo: {bar: 1}}; @@ -199,3 +199,10 @@ test('has', t => { t.is(m.has({'foo.baz': {bar: true}}, 'foo\\.baz.bar'), true); t.is(m.has({'fo.ob.az': {bar: true}}, 'fo\\.ob\\.az.bar'), true); }); + +test('prevent setting/getting `__proto__`', t => { + m.set({}, '__proto__.unicorn', '🦄'); + t.not({}.unicorn, '🦄'); // eslint-disable-line no-use-extend-native/no-use-extend-native + + t.is(m.get({}, '__proto__'), undefined); +});
3039c8c07f6fPrevent setting/getting some problematic path components
3 files changed · +27 −0
index.js+18 −0 modified@@ -1,6 +1,14 @@ 'use strict'; const isObj = require('is-obj'); +const disallowedKeys = [ + '__proto__', + 'prototype', + 'constructor' +]; + +const isValidPath = pathSegments => !pathSegments.some(segment => disallowedKeys.includes(segment)); + function getPathSegments(path) { const pathArray = path.split('.'); const parts = []; @@ -16,6 +24,10 @@ function getPathSegments(path) { parts.push(p); } + if (!isValidPath(parts)) { + return []; + } + return parts; } @@ -26,6 +38,9 @@ module.exports = { } const pathArray = getPathSegments(path); + if (pathArray.length === 0) { + return; + } for (let i = 0; i < pathArray.length; i++) { if (!Object.prototype.propertyIsEnumerable.call(object, pathArray[i])) { @@ -105,6 +120,9 @@ module.exports = { } const pathArray = getPathSegments(path); + if (pathArray.length === 0) { + return false; + } for (let i = 0; i < pathArray.length; i++) { if (isObj(object)) {
readme.md+2 −0 modified@@ -85,6 +85,8 @@ Path of the property in the object, using `.` to separate each nested key. Use `\\.` if you have a `.` in the key. +The following path components are invalid and results in `undefined` being returned: `__proto__`, `prototype`, `constructor`. + #### value Type: `unknown`
test.js+7 −0 modified@@ -199,3 +199,10 @@ test('has', t => { t.is(dotProp.has({'foo.baz': {bar: true}}, 'foo\\.baz.bar'), true); t.is(dotProp.has({'fo.ob.az': {bar: true}}, 'fo\\.ob\\.az.bar'), true); }); + +test('prevent setting/getting `__proto__`', t => { + dotProp.set({}, '__proto__.unicorn', '🦄'); + t.not({}.unicorn, '🦄'); // eslint-disable-line no-use-extend-native/no-use-extend-native + + t.is(dotProp.get({}, '__proto__'), undefined); +});
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-ff7x-qrg7-qggmghsax_refsource_MISCADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-8116ghsaADVISORY
- github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2ghsaWEB
- github.com/sindresorhus/dot-prop/commit/c914124f418f55edea27928e89c94d931babe587ghsaWEB
- github.com/sindresorhus/dot-prop/issues/63ghsax_refsource_MISCWEB
- github.com/sindresorhus/dot-prop/tree/v4ghsax_refsource_MISCWEB
- hackerone.com/reports/719856ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.