High severityNVD Advisory· Published Nov 9, 2020· Updated Aug 4, 2024

CVE-2020-8268

Description

CVE-2020-8268 is a prototype pollution vulnerability in the json8-merge-patch npm package before 1.0.3, allowing attackers to inject or modify methods and properties of the global object constructor.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2020-8268 is a prototype pollution vulnerability in the json8-merge-patch npm package before 1.0.3, allowing attackers to inject or modify methods and properties of the global object constructor.

Vulnerability

CVE-2020-8268 describes a prototype pollution vulnerability in the json8-merge-patch npm package prior to version 1.0.3. The flaw resides in the package's apply function, which implements RFC 7396 JSON merge patch. In versions before 1.0.3, the function did not properly prevent the __proto__ key from being used during patch application, allowing an attacker to pollute the prototype of the base object [1].

Exploitation

To exploit this vulnerability, an attacker must provide a crafted JSON patch that includes a __proto__ property. The package's apply function, by default, created new internal objects using Object.create(null) and then iterated over patch keys without checking for __proto__. Consequently, a patch containing "__proto__": { "someProperty": "value" } would modify the prototype of the global Object constructor, affecting all objects created after the pollution [1][3].

Impact

Successful exploitation enables an attacker to inject arbitrary properties or methods into the prototype of the global Object. This can lead to various security impacts, including data exfiltration, denial of service, or potential remote code execution, depending on how the application uses the affected objects. The vulnerability was reported through HackerOne and assigned a CVSS v3 score of 9.8 (Critical) due to its potential for widespread impact and network-based exploitation without authentication [2].

Mitigation

The vulnerability was fixed in version 1.0.3 of json8-merge-patch. The fix adds an options parameter to the apply function, which by default forces the function to throw an error if a __proto__ key is encountered (unless the pollute option is explicitly set to true). Additionally, new objects are created with a null prototype by default, preventing accidental prototype pollution. Users are strongly advised to update to version 1.0.3 or later [1].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
json8-merge-patchnpm	< 1.0.3	1.0.3

Affected products

npm/json8-merge-patchdescription
ghsa-coords
pkg:npm/json8-merge-patch
Range: < 1.0.3

Patches

2e890261b66c

json8-merge-patch: Prevent prototype pollution 2 (#116)

https://github.com/sonnyp/JSON8Sonny PiersSep 13, 2020via ghsa

commit

3 files changed · +37 −19

packages/merge-patch/lib/apply.js+13 −5 modified

@@ -5,21 +5,29 @@ const OBJECT = "object";
 /**
  * Apply a JSON merge patch onto a document
  * https://tools.ietf.org/html/rfc7396
- * @param  {Object} doc    - JSON object document
- * @param  {Object} patch  - JSON object patch
- * @return {Object}        - JSON object document
+ * @param  {Object}  doc                       - JSON object document
+ * @param  {Object}  patch                     - JSON object patch
+ * @param  {Object}  [options]                 - options
+ * @param  {Boolean} [options.pollute=false]   - Allow prototype pollution - throw otherwise
+ * @param  {Object}  [options.proto=null]      - Prototype to use for object creation
+ * @return {Object}                            - JSON object document
  */
-module.exports = function apply(doc, patch) {
+module.exports = function apply(doc, patch, options) {
   if (typeof patch !== OBJECT || patch === null || Array.isArray(patch)) {
     return patch;
   }
 
+  options = options || Object.create(null);
+
   if (typeof doc !== OBJECT || doc === null || Array.isArray(doc)) {
-    doc = Object.create(null);
+    doc = Object.create(options.proto || null);
   }
 
   const keys = Object.keys(patch);
   for (const key of keys) {
+    if (options.pollute !== true && key === "__proto__") {
+      throw new Error("Prototype pollution attempt");
+    }
     const v = patch[key];
     if (v === null) {
       delete doc[key];

packages/merge-patch/README.md+12 −0 modified

@@ -69,6 +69,18 @@ person = mergePatch.apply(person, patch)
 
 [↑](#json8-merge-patch)
 
+### object creation
+
+When needed, `apply` creates objects with `null` prototype, you can choose the prototype to use with `{proto: Object}` as a third argument.
+
+[↑](#json8-merge-patch)
+
+### prototype pollution
+
+`apply` will throw with an error if [prototype pollution](https://github.com/HoLyVieR/prototype-pollution-nsec18) is attempted. You can allow for prototype pollution by passing `{pollute: true}` as a third argument.
+
+[↑](#json8-merge-patch)
+
 ### patch
 
 Alias for [apply](#apply) method.

packages/merge-patch/test/apply.js+12 −14 modified

@@ -51,23 +51,21 @@ describe("apply", () => {
     assert.deepEqual(doc, {});
   });
 
-  // https://github.com/lodash/lodash/pull/4337
+  // https://github.com/sonnyp/JSON8/issues/113
+  // https://github.com/HoLyVieR/prototype-pollution-nsec18
   it("prevents prototype pollution", () => {
     let doc = {};
-    const patch = { __proto__: { foobar: true } };
-    doc = apply(doc, patch);
+    const patch = JSON.parse('{ "__proto__": { "isAdmin": true }}');
 
-    assert.deepEqual(doc, {});
-  });
+    assert.throws(
+      () => {
+        doc = apply(doc, patch);
+      },
+      Error,
+      "Prototype pollution attempt"
+    );
 
-  // https://github.com/lodash/lodash/pull/4336
-  it("prevents constructor pollution", () => {
-    let doc = {};
-
-    const patch = { constructor: { foo: "bar" } };
-    doc = apply(doc, patch);
-    assert.equal("foo" in Object, false);
-    assert.equal(Object.foo, undefined);
-    assert.deepEqual(doc, patch);
+    assert.equal(doc.isAdmin, undefined);
+    assert.equal("isAdmin" in doc, false);
   });
 });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-8v9x-9xqg-r8mrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-8268ghsaADVISORY
github.com/sonnyp/JSON8/commit/2e890261b66cbc54ae01d0c79c71b0fd18379e7eghsaWEB
github.com/sonnyp/JSON8/issues/113ghsaWEB
hackerone.com/reports/980649ghsax_refsource_MISCWEB
www.npmjs.com/package/json8-merge-patchghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000