CVE-2020-7765

MEDIUM

@firebase/util <0.3.4 - Code Injection

Title source: llm

Description

This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

Exploits (1)

github WORKING POC 6 stars

by AikidoSec · javascriptpoc

https://github.com/AikidoSec/zen-0-days/tree/main/node/CVE-2020-7765

View Code ZIP pw:eip

References (3)

[Patch, Third Party Advisory] https://github.com/firebase/firebase-js-sdk/commit/9cf727fcc3d049551b16ae0698ac33dc2fe45ada

View Patch ZIP pw:eip

[Patch, Third Party Advisory] https://github.com/firebase/firebase-js-sdk/pull/4001

[Exploit, Third Party Advisory] https://snyk.io/vuln/SNYK-JS-FIREBASEUTIL-1038324

Scores

CVSS v3 5.6

EPSS 0.0017

EPSS Percentile 37.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Classification

Status published

Affected Products (2)

google/firebase\/util < 0.3.4

firebase/util < 0.3.4npm

Timeline

Published Nov 16, 2020

Tracked Since Feb 18, 2026