Fix CVE–2020–7774

[debricked]

CVE–2020–7774

Vulnerable dependency:     y18n (npm)    3.2.1    4.0.0

Vulnerability details

Description

Improperly Controlled Modification of Dynamically-Determined Object Attributes

The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

GitHub

Prototype Pollution in y18n

Overview

The npm package y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution.

POC

const y18n = require('y18n')();

y18n.setLocale('__proto__');
y18n.updateLocale({polluted: true});

console.log(polluted); // true

Recommendation

Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later.

NVD

This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

CVSS details - 9.8

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity	High
Availability	High

References

    Prototype Pollution in y18n · CVE-2020-7774 · GitHub Advisory Database · GitHub
    NVD - CVE-2020-7774
    Prototype pollution · Issue #96 · yargs/y18n · GitHub
    fix: address prototype pollution issue by bcoe · Pull Request #108 · yargs/y18n · GitHub
    Oracle Critical Patch Update Advisory - April 2021
    THIRD PARTY
    fix: address prototype pollution issue (#108) · yargs/y18n@a9ac604 · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE