CVE-2020-28272

Name of the Vulnerable Software and Affected Versions keyget versions 1.0.0 through 2.2.0

Description The issue allows an attacker to cause a denial of service and may lead to remote code execution due to a prototype pollution vulnerability. The setByPath() function in the 'keyget' npm module does not check the type of object before assigning a value to a property, enabling an attacker to create non-existent properties or manipulate existing ones. This flaw can be exploited by passing malicious values to the path and value arguments in the setByPath() function, including the proto property, which can pollute the Object prototype.

Recommendations For keyget versions 1.0.0 through 2.2.0, as a temporary workaround, consider disabling the setByPath() function until a patch is available. Restrict access to the setByPath() function to minimize the risk of exploitation. Avoid using the path and value parameters in the affected setByPath() function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.