Prototype Pollution
Description
The package bmoor before 0.10.1 are vulnerable to Prototype Pollution due to missing sanitization in set function. Note: This vulnerability derives from an incomplete fix in CVE-2020-7736
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The bmoor package before 0.10.1 is vulnerable to prototype pollution due to missing sanitization in the set function, which derives from an incomplete fix for CVE-2020-7736.
Vulnerability
The bmoor package versions before 0.10.1 are vulnerable to prototype pollution due to missing sanitization in the set function. This vulnerability is derived from an incomplete fix for CVE-2020-7736. The set function allows manipulating object properties by path, but fails to properly sanitize or block the use of __proto__, constructor, or prototype keys, enabling attackers to pollute the prototype chain [1][2].
Exploitation
An attacker can exploit this vulnerability by providing a crafted input that includes a path like __proto__ or constructor.prototype to the set function. No authentication or special network position is required if the application accepts user-controlled inputs (e.g., via JSON or query parameters) that are passed unsanitized to the set function. The attacker simply needs to supply a malicious property path that targets Object.prototype [1][3].
Impact
Successful exploitation allows an attacker to inject arbitrary properties into the global object prototype, leading to prototype pollution. This can result in denial of service (by triggering exceptions), modification of application behavior, or potentially remote code execution if the polluted properties are used later in the application logic [3][4].
Mitigation
Users should upgrade bmoor to version 0.10.1 or later, which contains the proper sanitization to prevent prototype pollution. No workaround is provided for earlier versions. As of the publication date (2022-01-28), this CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bmoornpm | < 0.10.1 | 0.10.1 |
Affected products
3- bmoor/bmoordescription
Patches
129b0162cc1dcfix: bug with [__proto__]
3 files changed · +18 −5
package.json+4 −3 modified@@ -1,6 +1,6 @@ { "name": "bmoor", - "version": "0.10.0", + "version": "0.10.1", "author": "Brian Heilman <das.ist.junk@gmail.com>", "description": "A basic foundation for other libraries, establishing useful patterbs, and letting them be more.", "license": "MIT", @@ -29,7 +29,8 @@ }, "scripts": { "lint": "node ./node_modules/eslint/bin/eslint ./src", - "test": "npm run prettier && mocha --recursive \"./src/**/*.spec.js\"", - "prettier": "npx prettier --write ./src && npm run lint" + "test": "mocha --recursive \"./src/**/*.spec.js\"", + "prettier": "npx prettier --write ./src", + "finalize": "npm run lint && npm run prettier && npm run test" } }
src/core.js+6 −2 modified@@ -182,7 +182,7 @@ function set(root, space, value) { val = space.pop(); for (i = 0, c = space.length; i < c; i++) { - nextSpace = space[i]; + nextSpace = String(space[i]); if ( nextSpace === '__proto__' || @@ -205,6 +205,8 @@ function set(root, space, value) { } function _makeSetter(property, next) { + property = String(property); + if ( property === '__proto__' || property === 'constructor' || @@ -265,7 +267,7 @@ function get(root, path) { space = parse(path); if (space.length) { for (i = 0, c = space.length; i < c; i++) { - nextSpace = space[i]; + nextSpace = String(space[i]); if ( nextSpace === '__proto__' || @@ -287,6 +289,8 @@ function get(root, path) { } function _makeGetter(property, next) { + property = String(property); + if ( property === '__proto__' || property === 'constructor' ||
src/core.spec.js+8 −0 modified@@ -92,6 +92,14 @@ describe('Testing object setting/getting', function () { expect(t.polluted).to.not.equal(true); }); + + it('should not allow __proto__ when in array', function () { + var t = {}; + + bmoor.set(t, [['__proto__'], 'polluted'], 'polluted'); + + expect(t.polluted).to.not.equal('polluted'); + }); }); describe('::makeSetter', function () {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-4m8h-h59m-m34jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23558ghsaADVISORY
- github.com/b-heilman/bmoor/commit/29b0162cc1dc1791fc060891f568b0ae29bc542bghsax_refsource_MISCWEB
- security.snyk.io/vuln/SNYK-JS-BMOOR-598664ghsaWEB
- snyk.io/blog/remediate-javascript-type-confusion-bypassed-input-validationghsaWEB
- snyk.io/blog/remediate-javascript-type-confusion-bypassed-input-validation/mitrex_refsource_MISC
- snyk.io/vuln/SNYK-JS-BMOOR-2342622ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.