CVE-2020-28478

HIGH

gsap <3.6.0 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-28478. PoCs published by NetJBS.

AI-analyzed exploit summary This PoC demonstrates a prototype pollution vulnerability in gsap 1.19.90, where malicious input via `gsap.config` can pollute the global object prototype chain. The exploit uses JSON parsing to inject properties into `__proto__`, leading to potential arbitrary code execution or data manipulation.

Description

This affects the package gsap before 3.6.0.

Exploits (1)

nomisec WORKING POC 1 stars

by NetJBS · poc

https://github.com/NetJBS/CVE-2020-28478--PoC

View Code ZIP pw:eip

This PoC demonstrates a prototype pollution vulnerability in gsap 1.19.90, where malicious input via `gsap.config` can pollute the global object prototype chain. The exploit uses JSON parsing to inject properties into `__proto__`, leading to potential arbitrary code execution or data manipulation.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: gsap 1.19.90

No auth needed

Prerequisites: Victim must execute the malicious JavaScript in a context where gsap 1.19.90 is loaded

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://snyk.io/vuln/SNYK-JS-GSAP-1054614

Broken Link x_refsource_misc

https://github.com/greensock/GSAP/blob/master/src/gsap-core.js%23L147

Scores

CVSS v3 7.5

EPSS 0.0063

EPSS Percentile 70.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

Status published

Products (2)

greensock/greensock_animation_platform < 3.6.0

npm/gsap 0 - 3.6.0npm

Published Jan 19, 2021

Tracked Since Feb 18, 2026