Main Vulnerability Database Vulnerabilities #VU118654

#VU118654 Prototype pollution in Properties - CVE-2020-28471

Published: November 20, 2025

Vulnerability identifier: #VU118654

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-28471

CWE-ID: CWE-1321

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Properties

Software vendor:
Steve King

Description

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.

Remediation

Install updates from vendor's website.

External links

https://github.com/steveukx/properties/commit/0877cc871db9865f58dd9389ce99e61be05380a5
https://github.com/steveukx/properties/issues/40
https://security.snyk.io/vuln/SNYK-JS-PROPERTIESREADER-1048968

#VU118654 Prototype pollution in Properties - CVE-2020-28471

Description

Remediation

External links

Please verify you're human