CVE-2020-28458 Overview
CVE-2020-28458 is a Prototype Pollution vulnerability affecting all versions of the datatables.net package. This vulnerability exists due to an incomplete fix for a previously identified prototype pollution issue (SNYK-JS-DATATABLESNET-598806). The flaw allows attackers to inject properties into JavaScript object prototypes through specially crafted input, potentially leading to property injection, denial of service, or code execution in downstream applications.
Critical Impact
Attackers can pollute JavaScript object prototypes via the constructor property, bypassing the original fix that only blocked __proto__ traversal, enabling potential remote code execution or denial of service.
Affected Products
- datatables.net (all versions prior to patch)
- org.webjars.bower:datatables.net
- org.webjars.npm:datatables.net
Discovery Timeline
- 2020-12-16 - CVE-2020-28458 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-28458
Vulnerability Analysis
The vulnerability stems from an incomplete security fix for prototype pollution in the datatables.net library. The original patch addressed prototype pollution via the __proto__ property but failed to account for the constructor property, which provides an alternative pathway to modify object prototypes in JavaScript.
Prototype Pollution is a vulnerability class specific to JavaScript where an attacker can inject properties into existing JavaScript objects' prototype chain. When successful, this can lead to various attack scenarios including denial of service, property injection that modifies application behavior, or in certain contexts, remote code execution.
The datatables.net library processes user-controlled data properties that can traverse object structures. Without proper validation of property names like constructor, an attacker can reach and modify Object.prototype, affecting all objects in the JavaScript runtime.
Root Cause
The root cause is insufficient input validation in the data property traversal logic within core.data.js. The original fix blocked __proto__ as a dangerous property name but overlooked that constructor provides an equivalent attack vector. In JavaScript, obj.constructor.prototype points to the same object as obj.__proto__, allowing attackers to bypass the incomplete sanitization.
Attack Vector
This vulnerability can be exploited remotely over the network without authentication. An attacker would craft malicious input containing the constructor property in a data property path. When datatables.net processes this input, it traverses the object structure and allows modification of the prototype chain. The attack requires no user interaction and can be delivered through any application endpoint that passes user-controlled data to the vulnerable datatables.net functions.
// Security patch from js/core/core.data.js
// Source: https://github.com/DataTables/DataTablesSrc/commit/a51cbe99fd3d02aa5582f97d4af1615d11a1ea03
for ( var i=0, iLen=a.length-1 ; i<iLen ; i++ )
{
// Protect against prototype pollution
- if (a[i] === '__proto__') {
+ if (a[i] === '__proto__' || a[i] === 'constructor') {
throw new Error('Cannot set prototype values');
}
Detection Methods for CVE-2020-28458
Indicators of Compromise
- Unexpected modifications to Object.prototype or other built-in prototypes in JavaScript runtime
- Application behavior anomalies caused by injected prototype properties
- Error logs showing attempts to access constructor or __proto__ properties in data paths
- Unusual input patterns containing nested property references with constructor in payloads
Detection Strategies
- Implement Software Composition Analysis (SCA) scanning to identify vulnerable datatables.net versions in your codebase
- Monitor application logs for errors related to prototype property access attempts
- Use runtime application self-protection (RASP) tools to detect prototype pollution attempts
- Audit npm dependencies with npm audit or similar tools to identify known vulnerable packages
Monitoring Recommendations
- Enable verbose logging for datatables.net data processing operations
- Configure Web Application Firewalls (WAF) to detect and block payloads containing constructor or __proto__ in JSON data
- Implement client-side monitoring for unexpected prototype modifications using Object.freeze(Object.prototype)
- Set up alerts for dependency vulnerability notifications from package registries
How to Mitigate CVE-2020-28458
Immediate Actions Required
- Update datatables.net to the patched version that includes the fix from commit a51cbe99fd3d02aa5582f97d4af1615d11a1ea03
- Audit all applications using datatables.net to identify vulnerable deployments
- Implement input validation to reject data containing constructor or __proto__ properties
- Review application code for other potential prototype pollution vectors
Patch Information
The vendor has released a security patch addressing this vulnerability. The fix adds constructor to the list of blocked property names alongside __proto__ during data property traversal. Apply the patch by updating to the latest datatables.net version. The specific commit addressing this issue is available on GitHub. Additional security advisories are available from NetApp and Snyk.
Workarounds
- Freeze Object.prototype to prevent prototype pollution: Object.freeze(Object.prototype)
- Implement server-side input validation to reject payloads containing dangerous property names
- Use a Web Application Firewall with rules to detect and block prototype pollution attempts
- Consider using Object.create(null) for objects processing untrusted data to avoid prototype chain issues
# Update datatables.net to the latest patched version
npm update datatables.net
# Audit for vulnerable dependencies
npm audit
# Force update if needed
npm install datatables.net@latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
