VDB
KO
MEDIUM 5.3

GHSA-p9pc-299p-vxgp

yargs-parser Vulnerable to Prototype Pollution

Details

Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.

## Recommendation

Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / yargs-parser
Introduced in: 6.0.0 Fixed in: 13.1.2
Fix npm install yargs-parser@13.1.2
npm / yargs-parser
Introduced in: 14.0.0 Fixed in: 15.0.1
Fix npm install yargs-parser@15.0.1
npm / yargs-parser
Introduced in: 16.0.0 Fixed in: 18.1.1
Fix npm install yargs-parser@18.1.1
npm / yargs-parser
Introduced in: 0 Fixed in: 5.0.1
Fix npm install yargs-parser@5.0.1

References