By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2020-5259

Prototype Pollution
Affects
Dojo
in
Dojo
No items found.
Versions
<1.11.10, >=1.12.0 <1.12.8, >=1.13.0 <1.13.7, >=1.14.0 <1.14.6, >=1.15.0 <1.15.3, >=1.16.0 <1.16.2
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Dojox (or “Dojo Toolkit”) is a collection of optional, extended, and experimental modules for the Dojo Toolkit that provide additional UI widgets, utilities, and advanced features beyond the core Dojo libraries.

A low-severity Prototype Pollution vulnerability (CVE-2020-5259) has been identified in Dojox, which allows a malicious actor to modify an object's prototype, potentially leading to unexpected behavior or security issues.

Per OWASP: Prototype Pollution is a critical vulnerability that can allow attackers to manipulate an application's JavaScript objects and properties, leading to serious security issues such as unauthorized access to data, privilege escalation, and even remote code execution.

Details

Module Info

Vulnerability Info

This low-severity vulnerability is found in many versions of Dojox less than 1.16.2. See the affected versions above for specific details.


The vulnerability affects the Dojox jQuery wrapper. The jqMix method allowed attackers to inject properties into JavaScript language construct prototypes by manipulating the special _​_proto_​_ property during object mixing operations.

The jqMix function in jq.js recursively merges properties from a source object into a target object without validating property names. An attacker could exploit this by:

  • Passing an object with a _​_proto_​_ property to functions using jqMix
  • Polluting the prototype of base JavaScript objects (Object, Array, etc.)
  • Injecting malicious properties accessible across the entire application
  • Potentially modifying application behavior or bypassing security checks via injected properties

The vulnerability affects the object merging logic used by $.extend and related jQuery-style API methods in Dojox.

Mitigation

Dojox version 1.7.x is End-of-Life and will not receive any updates to address this issue. For more information see the Dojo website announcement.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to a fixed version of Dojox and Dojo.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Pink arrow
Pink arrow
CVE-2018-15494
CVE-2020-5259
CVE-2021-23450
CVE-2018-6561
CVE-2019-10785
CVE-2020-4051
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2020-5259
PROJECT Affected
Dojo
Versions Affected
<1.11.10, >=1.12.0 <1.12.8, >=1.13.0 <1.13.7, >=1.14.0 <1.14.6, >=1.15.0 <1.15.3, >=1.16.0 <1.16.2
Published date
December 3, 2025
≈ Fix date
November 25, 2025
Fixed in
NES for Dojo
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Low
Category
Prototype Pollution
Sign up for the latest vulnerability alerts fixed in
NES for Dojo
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.