CVE-2020-28279

Name of the Vulnerable Software and Affected Versions flattenizer versions 0.0.5 through 1.0.5

Description The issue is related to a prototype pollution vulnerability, which allows an attacker to cause a denial of service and may lead to remote code execution. The unflatten() function in the 'flattenizer' NPM module does not check the type of object before assigning a value to a property, making it vulnerable to abuse. This flaw enables an attacker to create non-existent properties or manipulate existing ones, potentially leading to denial of service or remote code execution. The vulnerability can be exploited by directly assigning a property, such as polluted, to the Object prototype without proper validation.

Recommendations For versions 0.0.5 through 1.0.5, consider disabling the unflatten() function until a patch is available to prevent potential exploitation. Restrict the use of the 'flattenizer' module to minimize the risk of denial of service or remote code execution. Avoid using the unflatten() function with untrusted input to prevent prototype pollution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.