概要
Prototype-pollution advisories are easy to overstate from dependency data alone. CVE-2020-28271 is critical in NVD and GitHub advisory scoring, but the useful scanner signal is still a precise dependency match: a project carrying deephas versions 1.0.0 through 1.0.5 should upgrade or replace the package and review object-path call sites.
仕組み
The repo check looks for deephas dependency evidence in npm manifests and lockfiles. Lockfile entries produce the strongest signal because they identify a resolved affected version. The finding stays scoped to dependency evidence and does not claim FixVibe mutated Object.prototype, confirmed a DoS condition, or found a runtime RCE path.
被害範囲
If the affected deephas runtime processes attacker-controlled keys or object paths, prototype pollution can alter inherited object behavior and may lead to denial of service or worse gadget-dependent impact. A repo match should trigger dependency remediation and a focused review of untrusted-input paths before treating the issue as confirmed production exploitability.
// what fixvibe checks
What FixVibe checks
FixVibe repo scans look for high-confidence security patterns and dependency risk in source context. Reports identify the affected area and recommended fix. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.
鉄壁の防御
Upgrade deephas to 1.0.8 or replace it with a maintained deep-path utility, regenerate the active lockfile, rebuild and redeploy the artifact, and review call sites that pass user-controlled keys such as object paths. Keep input schemas stripping prototype keys before they reach object merge or path helpers.