Vulnerability Details : CVE-2020-7765
Potential exploit
This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
Products affected by CVE-2020-7765
- cpe:2.3:a:google:firebase\/util:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-7765
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-7765
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST | |
5.6
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
2.2
|
3.4
|
Snyk |
References for CVE-2020-7765
-
https://github.com/firebase/firebase-js-sdk/pull/4001
Prevent __proto__ pollution in util.deepExtend by Feiyang1 · Pull Request #4001 · firebase/firebase-js-sdk · GitHubPatch;Third Party Advisory
-
https://snyk.io/vuln/SNYK-JS-FIREBASEUTIL-1038324
Prototype Pollution in @firebase/util | SnykExploit;Third Party Advisory
-
https://github.com/firebase/firebase-js-sdk/commit/9cf727fcc3d049551b16ae0698ac33dc2fe45ada
Prevent __proto__ pollution in util.deepExtend (#4001) · firebase/firebase-js-sdk@9cf727f · GitHubPatch;Third Party Advisory
Jump to