MEDIUM 5.3
GHSA-p9pc-299p-vxgp
yargs-parser Vulnerable to Prototype Pollution
Details
Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.
## Recommendation
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2020-7608 [ADVISORY]
- https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36 [WEB]
- https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2 [WEB]
- https://github.com/yargs/yargs-parser [PACKAGE]
- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381 [WEB]
- https://www.npmjs.com/advisories/1500 [WEB]