Description
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects.
Recommendation
Update the yargs-parser package to the latest compatible version. Followings are version details:
Affected version(s): **>= 16.0.0, < 18.1.1 <= 5.0.0 >= 6.0.0, < 13.1.2 >= 14.0.0, < 15.0.1** Patched version(s): **18.1.1 5.0.1 13.1.2 15.0.1**
References
- GHSA-p9pc-299p-vxgp
- snyk.io
- www.npmjs.com
- CVE-2020-7608
- CWE-1321
- CWE-915
- CAPEC-310
- OWASP 2021-A6
- OWASP 2021-A8
Related Issues
- counterpart vulnerable to prototype pollution - CVE-2025-57354
- Parse Server has an OAuth login vulnerability - CVE-2025-30168
- Use of Insufficiently Random Values in undici - CVE-2025-22150
- SummerNote Cross Site Scripting Vulnerability - CVE-2024-37629
- Tags:
- npm
- yargs-parser
Anything's wrong? Let us know Last updated on January 27, 2023