CVE-2020-5258

In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

Published: Mar 10, 2020
Updated: May 4, 2025
CVE: CVE-2020-5258
GHSA: GHSA-jxfh-8wgv-vfr2
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

Affected Software
References

Software	From	Fixed in
linuxfoundation / dojo	1.13.0	1.13.7
linuxfoundation / dojo	1.14.0	1.14.6
linuxfoundation / dojo	1.15.0	1.15.3
linuxfoundation / dojo	1.16.0	1.16.2
linuxfoundation / dojo	-	1.11.10
linuxfoundation / dojo	1.12.0	1.12.8
debian / debian_linux	8.0	8.0.x
oracle / webcenter_sites	12.2.1.3.0	12.2.1.3.0.x
oracle / primavera_unifier	18.8	18.8.x
oracle / primavera_unifier	17.7	17.12.x
oracle / communications_policy_management	12.5.0	12.5.0.x
oracle / weblogic_server	12.2.1.4.0	12.2.1.4.0.x
oracle / primavera_unifier	19.12	19.12.x
oracle / webcenter_sites	12.2.1.4.0	12.2.1.4.0.x
oracle / weblogic_server	14.1.1.0.0	14.1.1.0.0.x
oracle / mysql	8.0.0	8.0.20.x
oracle / primavera_unifier	20.12	20.12.x
oracle / mysql	7.6.0	7.6.14.x
oracle / mysql	7.5.0	7.5.18.x
oracle / mysql	7.4.0	7.4.28.x
oracle / mysql	7.3.0	7.3.29.x
oracle / communications_pricing_design_center	12.0.0.3.0	12.0.0.3.0.x
oracle / documaker	12.6.0	12.6.4.x
oracle / communications_application_session_controller	3.9.0	3.9.0.x
dojo	-	1.11.10
dojo	1.12.0	1.12.8
dojo	1.13.0	1.13.7
dojo	1.14.0	1.14.6
dojo	1.15.0	1.15.3
dojo	1.16.0	1.16.2

Vulnerability Database

289,599

CVE-2020-5258