PatchSiren cyber security CVE debrief
CVE-2020-28271 Sharpred CVE debrief
A critical prototype pollution vulnerability in the deephas npm package (versions 1.0.0 through 1.0.5) enables unauthenticated remote attackers to achieve denial of service and potentially remote code execution. The vulnerability stems from improper handling of object property assignments that allow modification of Object.prototype, a common JavaScript prototype pollution pattern classified under CWE-1321. The CVSS 3.1 score of 9.8 reflects network attack vector with low complexity, no privileges required, and high impacts across confidentiality, integrity, and availability. The vulnerability was disclosed on November 12, 2020, with the NVD record subsequently modified on May 19, 2026. A patch commit addressing this issue was published to the project's GitHub repository. Organizations using affected versions should upgrade immediately and audit applications for prototype pollution attack surfaces.
- Vendor
- Sharpred
- Product
- Deephas
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2020-11-12
- Original CVE updated
- 2026-05-19
- Advisory published
- 2020-11-12
- Advisory updated
- 2026-05-19
Who should care
Organizations using the deephas npm package in production applications, particularly those processing untrusted user input through deep object operations. Development teams maintaining Node.js applications with deephas dependencies. Security teams conducting software composition analysis and dependency vulnerability management.
Technical summary
The deephas package versions 1.0.0 through 1.0.5 contain a prototype pollution vulnerability (CWE-1321) that allows attackers to modify Object.prototype through crafted input. This can lead to denial of service through property injection attacks and potentially remote code execution if polluted properties are subsequently used in security-sensitive operations. The vulnerability is exploitable over the network without authentication, with low attack complexity. The fix involves proper validation and filtering of property keys to prevent prototype chain manipulation.
Defensive priority
critical
Recommended defensive actions
- Upgrade deephas to version 1.0.6 or later if available, or apply the patch commit referenced in vendor advisory
- Audit application code for prototype pollution attack surfaces, particularly where user-controlled input is processed through deephas functions
- Implement input validation and sanitization to prevent malicious property keys such as __proto__, constructor, and prototype
- Review dependencies for other packages with similar prototype pollution vulnerabilities
- Monitor application logs for anomalous object property modifications or unexpected prototype changes
- Consider using Object.freeze(Object.prototype) or similar hardening techniques where feasible to mitigate prototype pollution risks
Evidence notes
CVE description confirms prototype pollution in deephas 1.0.0-1.0.5 with DoS and potential RCE impacts. NVD CPE criteria specifies vulnerable Node.js package versions. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H supports critical severity rating. CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) identified as primary weakness. Patch commit 2fe011713a6178c50f7deb6f039a8e5435981e20 referenced as remediation.
Official resources
-
CVE-2020-28271 CVE record
CVE.org
-
CVE-2020-28271 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
2020-11-12