VulWall Team February 18, 2026 4 min read

Outdated DataTables Library Allows Tampering with Page Behaviour

Your website uses an outdated version of DataTables — a popular JavaScript library for displaying sortable, searchable tables. The version in use has a known flaw that could allow an attacker to tamper with how the page behaves by injecting unexpected values into the library's internal logic. Think of it like a faulty lock that a previous repair didn't fully fix — a second patch is needed to close the gap.

OWASP A06 Effort: trivial Exploitable
prototype-pollution cve datatables jquery javascript frontend dependency library

Business Impact And Actions

high urgency

Business Impact

If exploited, this flaw could allow an attacker to manipulate your application's behaviour in unpredictable ways — potentially affecting what data is displayed, how the page responds, or enabling further attacks if combined with other weaknesses. This could expose you to compliance concerns if personal data is involved, and may affect customer trust if the application behaves unexpectedly.

What To Do

  1. Ask your developer to check which version of DataTables (also called datatables.net or jquery.datatables) is installed — it should be 1.10.23 or higher.
  2. If the version is below 1.10.23, ask your developer to upgrade it. This is a straightforward package update, typically taking under an hour.
  3. After the update, ask your developer to confirm the tables on your site still work correctly — a quick visual check of any pages with data tables is sufficient.
  4. Consider asking your developer to set up automated alerts for outdated JavaScript libraries so future issues like this are caught earlier.

DataTables < 1.10.23 Prototype Pollution via 'constructor' Property (CVE-2020-28458)

high severity CVSS 7.3

Vulnerability Explanation

CVE-2020-28458 is a Prototype Pollution vulnerability in the datatables.net package affecting all versions prior to 1.10.23. It is the result of an incomplete fix for a prior prototype pollution issue (SNYK-JS-DATATABLESNET-598806). The vulnerable code path is in the internal `_fnSetObjectDataFn` function, which processes object data property names. The original fix blocked certain dangerous property names (such as `__proto__`), but failed to also block `constructor`. An attacker who can control data property names passed into a DataTable — for example, via a server-side data source or user-influenced column definitions — can set a property named `constructor` to inject values onto `Object.prototype`, affecting all objects in the JavaScript runtime.

Root Cause

The root cause is an incomplete denylist in the `_fnSetObjectDataFn` function. The prior patch blocked `__proto__` but omitted `constructor` as a blocked property name, leaving a second prototype pollution path open. Denylists are inherently fragile for this class of vulnerability — the fix in 1.10.23 adds `constructor` to the blocked set.

Technical Impact

A remote attacker with the ability to influence data property names processed by DataTables can pollute `Object.prototype`, potentially causing unexpected application behaviour, logic bypasses, denial of service (application errors), or — in server-side Node.js contexts where DataTables is used — escalation to remote code execution. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates this is exploitable remotely with no authentication and low complexity. Three public proof-of-concept exploits are available on GitHub.

Severity Justification

CVSS 3.x score of 7.3 (High). Network-exploitable, no privileges or user interaction required. Public PoC exploits exist. Impact is partial across confidentiality, integrity, and availability. Severity is bounded from critical because exploitation requires attacker influence over DataTables data property names, which is not always possible.

Affected Components

  • datatables.net < 1.10.23
  • jquery.datatables < 1.10.23

Remediation Steps

  1. Upgrade the `datatables.net` (or `jquery.datatables`) package to version 1.10.23 or later. This is the official fix released on 18 December 2020.
  2. For npm/yarn projects: run `npm install datatables.net@latest` or `yarn upgrade datatables.net` and commit the updated `package-lock.json` or `yarn.lock`.
  3. For CDN-hosted DataTables (loaded via a `<script>` tag), update the URL to reference version 1.10.23 or later, e.g. `https://cdn.datatables.net/1.10.25/js/jquery.dataTables.min.js`.
  4. If DataTables is bundled as part of a UI framework or admin theme, check whether the theme vendor has released an update that includes the patched version, and upgrade the theme accordingly.
  5. After upgrading, run your existing test suite and perform a manual smoke test on all pages that render DataTables to confirm no regressions.

Verification Steps

  1. Run `npm list datatables.net` or `npm list jquery.datatables` in your project root and confirm the resolved version is 1.10.23 or higher.
  2. If using a CDN, inspect the page source or browser DevTools Network tab and confirm the DataTables script URL references version 1.10.23+.
  3. Run `npm audit` after upgrading — CVE-2020-28458 should no longer appear in the output.
  4. Use the Snyk vulnerability checker or GitHub Dependabot to confirm no remaining advisories for datatables.net.

Code Examples (bash)

Vulnerable
# package.json pinned to a vulnerable version
"datatables.net": "1.10.19"
Fixed
# Upgrade via npm
npm install datatables.net@^1.10.23

# Or for CDN usage, update the script tag src:
# Before (vulnerable):
# <script src="https://cdn.datatables.net/1.10.19/js/jquery.dataTables.min.js"></script>

# After (fixed):
# <script src="https://cdn.datatables.net/1.10.25/js/jquery.dataTables.min.js"></script>

Best Practices

  • Pin JavaScript dependencies to specific versions in package.json and use a lock file (package-lock.json / yarn.lock) to ensure reproducible builds.
  • Enable automated dependency scanning (GitHub Dependabot, Snyk, or Renovate) to receive pull requests when new CVEs affect your dependencies.
  • Prefer allowlists over denylists when validating object property names — denylists are fragile and frequently incomplete, as demonstrated by this CVE.
  • Audit all third-party libraries that process user-influenced data property names or JSON structures, as they are common vectors for prototype pollution.

References

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base