yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.
snyk·CWE-1321·Published 2020-03-16
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.
Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`. ## Recommendation Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`. ## Recommendation Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Yargs-parser podría ser engañado para agregar o modificar propiedades de Object.prototype utilizando una carga útil "__proto__".
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 4.6 | 3.9 | 6.4 | AV:L/AC:L/Au:N/C:P/I:P/A:P |
| 3.1 | Primary | NVD | 5.3 | 1.8 | 3.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| 3.1 | Secondary | GHSA | 5.3 | — | — | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |