CVE-2020-5258 Overview
CVE-2020-5258 is a Prototype Pollution vulnerability affecting the Dojo JavaScript toolkit distributed via NPM. The vulnerability exists in the deepCopy method, which fails to properly sanitize property names during object copying operations. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker can manipulate these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values, potentially leading to unauthorized data manipulation or application compromise.
Critical Impact
Attackers can exploit the deepCopy method to inject malicious properties into JavaScript object prototypes, potentially enabling property injection attacks that affect all objects inheriting from the polluted prototype, leading to data integrity compromise across the application.
Affected Products
- Linux Foundation Dojo (versions prior to 1.12.8, 1.13.7, 1.14.6, 1.15.3, and 1.16.2)
- Debian Linux 8.0
- Oracle Communications Application Session Controller 3.9.0
- Oracle Communications Policy Management 12.5.0
- Oracle Communications Pricing Design Center 12.0.0.3.0
- Oracle Documaker
- Oracle MySQL (multiple versions)
- Oracle Primavera Unifier (multiple versions including 18.8, 19.12, 20.12)
- Oracle WebCenter Sites 12.2.1.3.0 and 12.2.1.4.0
- Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0
Discovery Timeline
- March 10, 2020 - CVE-2020-5258 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-5258
Vulnerability Analysis
The vulnerability resides in the deepCopy method within the Dojo toolkit's request utility module (request/util.js). When performing deep copy operations on JavaScript objects, the method iterates through all properties of a source object and copies them to a target object. The flaw occurs because the method does not exclude the special __proto__ property from being copied.
In JavaScript, the __proto__ property provides access to an object's prototype chain. When an attacker supplies a maliciously crafted object containing a __proto__ property to the deepCopy function, the method copies this property along with all others. This allows the attacker to inject arbitrary properties into the prototype of all JavaScript objects in the application, affecting any code that relies on default object behavior or checks for the presence of certain properties.
This vulnerability is classified under CWE-94 (Improper Control of Generation of Code) and CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes). The network-accessible attack vector with no user interaction requirements makes this vulnerability particularly concerning for web applications using vulnerable Dojo versions.
Root Cause
The root cause is insufficient input validation in the deepCopy method. The function's property iteration loop processes all enumerable properties of the source object without checking whether the property name is the dangerous __proto__ identifier. This allows prototype chain manipulation when untrusted data is passed through the deep copy operation.
Attack Vector
An attacker can exploit this vulnerability by providing a crafted JSON object containing a __proto__ property to any application functionality that uses the vulnerable deepCopy method. Common attack scenarios include:
- Submitting malicious JSON payloads through API endpoints that process user-controlled data
- Exploiting web forms or request parameters that are deep-copied before processing
- Manipulating configuration objects parsed from external sources
The attack can be delivered remotely over the network without requiring authentication or user interaction, making it suitable for automated exploitation.
// Security patch in request/util.js - adds __proto__ check to prevent prototype pollution
for (var name in source) {
var tval = target[name],
sval = source[name];
- if (tval !== sval) {
+ if (name !== '__proto__' && tval !== sval) {
if (shouldDeepCopy(sval)) {
if (Object.prototype.toString.call(sval) === '[object Date]') { // use this date test to handle crossing frame boundaries
target[name] = new Date(sval);
Source: GitHub Commit
Detection Methods for CVE-2020-5258
Indicators of Compromise
- Unexpected properties appearing on Object.prototype or other built-in prototypes during application runtime
- Anomalous JSON payloads containing __proto__, constructor, or prototype keys in application logs
- Application behavior changes indicating global object pollution (e.g., unexpected property values, authentication bypasses)
- Unusual error messages or exceptions related to prototype chain modifications
Detection Strategies
- Implement application-layer logging to capture and analyze incoming JSON payloads for prototype pollution indicators
- Deploy software composition analysis (SCA) tools to identify vulnerable Dojo versions in your dependency tree
- Use runtime application self-protection (RASP) solutions to detect prototype modification attempts
- Monitor for NPM audit warnings indicating the presence of vulnerable Dojo packages
Monitoring Recommendations
- Enable verbose logging for API endpoints that process JSON data and review for suspicious __proto__ patterns
- Configure intrusion detection systems to alert on HTTP requests containing prototype pollution payload signatures
- Implement integrity monitoring for critical JavaScript runtime objects in production environments
- Regularly audit application dependencies using npm audit or equivalent tools to identify vulnerable packages
How to Mitigate CVE-2020-5258
Immediate Actions Required
- Update Dojo to patched versions: 1.12.8, 1.13.7, 1.14.6, 1.15.3, or 1.16.2 or later immediately
- Audit all applications using Dojo to identify instances of the deepCopy method processing untrusted input
- Implement input validation to reject objects containing __proto__, constructor, or prototype properties
- Review Oracle product deployments and apply relevant Critical Patch Updates (CPUs)
Patch Information
The vulnerability has been patched in Dojo versions 1.12.8, 1.13.7, 1.14.6, 1.15.3, and 1.16.2. The fix adds an explicit check to exclude the __proto__ property from being copied during deep copy operations. The security patch is available in the GitHub Commit. For detailed information, refer to the GitHub Security Advisory.
Oracle customers should consult the relevant Critical Patch Update advisories including Oracle CPU July 2020, Oracle CPU July 2021, Oracle CPU October 2021, and Oracle CPU January 2022.
Workarounds
- Implement a custom wrapper function that sanitizes objects by removing dangerous properties before passing them to deepCopy
- Use Object.freeze(Object.prototype) to prevent prototype modifications in critical application paths (note: this may break some legitimate functionality)
- Deploy a Web Application Firewall (WAF) rule to block requests containing __proto__ in JSON payloads
- Consider using alternative deep copy implementations that include built-in prototype pollution protection
# Update Dojo to a patched version
npm update dojo@1.16.2
# Audit your project for vulnerable packages
npm audit
# Check current Dojo version in your project
npm list dojo
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
