CVE-2020-15256 Overview
A prototype pollution vulnerability has been discovered in the object-path Node.js package affecting versions up to and including 0.11.4. This vulnerability specifically impacts the set() method and can allow attackers to modify the prototype of base objects, potentially leading to remote code execution, denial of service, or other security compromises in applications that utilize this library.
Critical Impact
Attackers can exploit this prototype pollution vulnerability to inject malicious properties into JavaScript object prototypes, potentially compromising the entire application's execution context and enabling remote code execution.
Affected Products
- object-path versions <= 0.11.4 (all set() usage is vulnerable in versions < 0.11.0)
- object-path versions >= 0.11.0 to <= 0.11.4 when using includeInheritedProps: true option
- Applications using the withInheritedProps instance
Discovery Timeline
- 2020-10-19 - CVE-2020-15256 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-15256
Vulnerability Analysis
This prototype pollution vulnerability affects the set() method in the object-path library, a popular Node.js package used for accessing and manipulating deep object properties using path notation. The vulnerability allows an attacker to pollute JavaScript object prototypes by setting values on special properties like __proto__ or constructor.
In JavaScript, prototype pollution occurs when an attacker can modify the prototype of a base object, which then affects all objects that inherit from that prototype. This can lead to property injection, denial of service, or even remote code execution depending on how the polluted properties are used by the application.
The vulnerability is limited to specific configurations in versions >= 0.11.0. The includeInheritedProps mode must be explicitly enabled by creating a new instance of object-path with the option includeInheritedProps: true, or by using the default withInheritedProps instance. However, any usage of set() in versions < 0.11.0 is vulnerable regardless of configuration.
Root Cause
The root cause of this vulnerability is insufficient input validation in the set() method when handling property paths. The function failed to block access to JavaScript's magic properties (__proto__ and constructor) that provide access to object prototypes. When the includeInheritedProps option is enabled, attackers could traverse to these special properties and modify them, polluting the prototype chain.
Attack Vector
This vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker can craft a malicious path parameter to the set() method that targets the __proto__ or constructor properties. When the vulnerable code processes this input, it modifies the prototype of the base Object, potentially affecting all objects in the application.
The attack requires the application to:
- Use object-path version <= 0.11.4
- Either use a version < 0.11.0, OR have includeInheritedProps: true enabled, OR use the withInheritedProps instance
- Pass attacker-controlled input to the set() method's path parameter
}
var currentPath = path[0];
var currentValue = getShallowProperty(obj, currentPath);
+ if (options.includeInheritedProps && (currentPath === '__proto__' ||
+ (currentPath === 'constructor' && typeof currentValue === 'function'))) {
+ throw new Error('For security reasons, object\'s magic properties cannot be set')
+ }
if (path.length === 1) {
if (currentValue === void 0 || !doNotReplace) {
obj[currentPath] = value;
Source: GitHub Commit
The patch adds explicit checks to block setting values on __proto__ and constructor properties when includeInheritedProps mode is active, throwing a security error instead.
Detection Methods for CVE-2020-15256
Indicators of Compromise
- Unexpected properties appearing on Object.prototype or other base prototypes
- Application behavior anomalies caused by polluted prototype properties
- Error logs showing attempts to access __proto__ or constructor paths through object-path
- Suspicious input patterns containing __proto__, constructor, or prototype in request parameters
Detection Strategies
- Implement static code analysis to identify usage of object-path library and check for vulnerable versions
- Use software composition analysis (SCA) tools to detect vulnerable object-path dependencies in package.json or package-lock.json
- Monitor application logs for unusual property access patterns involving prototype-related keywords
- Deploy runtime application self-protection (RASP) solutions to detect prototype pollution attempts
Monitoring Recommendations
- Enable verbose logging for input validation failures in Node.js applications
- Monitor for anomalous object property assignments in application telemetry
- Set up alerts for dependency vulnerability notifications from npm audit or similar tools
- Implement application performance monitoring to detect unexpected behavior changes that could indicate prototype pollution
How to Mitigate CVE-2020-15256
Immediate Actions Required
- Upgrade object-path to version 0.11.5 or later immediately
- Audit application code to identify all usages of the set() method with object-path
- If using versions >= 0.11.0, disable the includeInheritedProps option if not strictly required
- Avoid using the withInheritedProps instance unless absolutely necessary
- Run npm audit to identify any other vulnerable dependencies
Patch Information
The vulnerability has been fixed in object-path version 0.11.5. The patch introduces validation logic that explicitly blocks attempts to set values on __proto__ and constructor properties when the includeInheritedProps mode is enabled. Users should update their dependencies by running npm update object-path or explicitly setting the version in package.json to >=0.11.5. For additional details, see the GitHub Security Advisory.
Workarounds
- Avoid using the includeInheritedProps: true option when creating object-path instances
- Do not use the withInheritedProps instance if running a version >= 0.11.0
- Implement input validation to sanitize paths before passing them to set(), blocking __proto__, constructor, and prototype
- Consider using alternative libraries with built-in prototype pollution protections
# Configuration example
# Update object-path to the patched version
npm install object-path@0.11.5
# Or update package.json dependency
# "object-path": ">=0.11.5"
# Audit for vulnerable dependencies
npm audit
# Fix vulnerabilities automatically where possible
npm audit fix
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
