CVE-2020-8116

HIGH

dot-prop <4.2.1, <5.1.1 - Prototype Pollution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-8116. PoCs published by AikidoSec.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2020-8116, demonstrating prototype pollution in the 'dot-prop' Node.js library. It includes vulnerable and protected test cases to showcase the exploit and mitigation.

Description

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Exploits (1)

github WORKING POC 6 stars
by AikidoSec · javascriptpoc
https://github.com/AikidoSec/zen-0-days/tree/main/node/CVE-2020-8116

This repository contains a functional proof-of-concept for CVE-2020-8116, demonstrating prototype pollution in the 'dot-prop' Node.js library. It includes vulnerable and protected test cases to showcase the exploit and mitigation.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: dot-prop (Node.js library)
No auth needed
Prerequisites: Node.js environment · dot-prop library
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/719856
Third Party Advisory x_refsource_misc
https://github.com/advisories/GHSA-ff7x-qrg7-qggm
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/sindresorhus/dot-prop/issues/63

Scores

CVSS v3 7.3
EPSS 0.0300
EPSS Percentile 85.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

CWE
CWE-1321 CWE-471
Status published
Products (2)
dot-prop_project/dot-prop < 4.2.1
npm/dot-prop 0 - 4.2.1npm
Published Feb 04, 2020
Tracked Since Feb 18, 2026