Description
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects.
Recommendation
Update the yargs-parser package to the latest compatible version. Followings are version details:
Affected version(s): **>= 16.0.0, < 18.1.1 <= 5.0.0 >= 6.0.0, < 13.1.2 >= 14.0.0, < 15.0.1** Patched version(s): **18.1.1 5.0.1 13.1.2 15.0.1**
References
- GHSA-p9pc-299p-vxgp
- snyk.io
- www.npmjs.com
- CVE-2020-7608
- CWE-1321
- CWE-915
- CAPEC-310
- OWASP 2021-A6
- OWASP 2021-A8
Related Issues
- TypeORM vulnerable to MAID and Prototype Pollution - CVE-2020-8158
- fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name - CVE-2023-26920
- Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
- shvl vulnerable to prototype pollution - CVE-2020-28278
- Tags:
- npm
- yargs-parser
Anything's wrong? Let us know Last updated on January 27, 2023