CVE-2020-7641: 
JavaScript vulnerability analysis and mitigation

CVE-2020-7641 is a Prototype Pollution vulnerability affecting the grunt-util-property package, which is a Grunt util for getting and setting properties. The vulnerability was published and disclosed on April 12, 2020, and was discovered by the JHU System Security Lab (Snyk Report).

The vulnerability allows an attacker to manipulate properties of Object.prototype using a proto payload. The function call in the package could be tricked into adding or modifying properties of Object.prototype. According to the CVSS v3.1 assessment, the vulnerability has a Local attack vector, High attack complexity, requires No privileges, and No user interaction. The scope is Unchanged, with Low impact on Confidentiality, and Low impact on Availability (Snyk Report).

The exploitation of this vulnerability can lead to Denial of Service (DoS) by triggering JavaScript exceptions or potentially lead to remote code execution by tampering with the application source code. The vulnerability can affect the application when Object holds generic functions that are implicitly called for various operations, such as toString and valueOf (Snyk Report).

Since there is no fixed version available for grunt-util-property, several mitigation strategies are recommended: 1) Freeze the prototype using Object.freeze(Object.prototype), 2) Implement schema validation for JSON input, 3) Avoid using unsafe recursive merge functions, 4) Consider using objects without prototypes (Object.create(null)), and 5) Use Map instead of Object as a best practice (Snyk Report).