CVE-2020-8116

HIGH

dot-prop <4.2.1, <5.1.1 - Prototype Pollution

Title source: llm

Description

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Exploits (1)

github WORKING POC 6 stars

by AikidoSec · javascriptpoc

https://github.com/AikidoSec/zen-0-days/tree/main/node/CVE-2020-8116

View Code ZIP pw:eip

References (4)

[Third Party Advisory] https://github.com/advisories/GHSA-ff7x-qrg7-qggm

[Issue Tracking, Patch, Third Party Advisory] https://github.com/sindresorhus/dot-prop/issues/63

[Broken Link] https://github.com/sindresorhus/dot-prop/tree/v4

View Writeup ZIP pw:eip

[Exploit, Third Party Advisory] https://hackerone.com/reports/719856

Scores

CVSS v3 7.3

EPSS 0.0076

EPSS Percentile 73.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-1321 CWE-471

Status published

Affected Products (2)

dot-prop_project/dot-prop < 4.2.1

npm/dot-prop < 4.2.1npm

Timeline

Published Feb 04, 2020

Tracked Since Feb 18, 2026