MEDIUM 5.3
GHSA-p9pc-299p-vxgp
yargs-parser Vulnerable to Prototype Pollution
상세
Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.
## Recommendation
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://nvd.nist.gov/vuln/detail/CVE-2020-7608 [ADVISORY]
- https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36 [WEB]
- https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2 [WEB]
- https://github.com/yargs/yargs-parser [PACKAGE]
- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381 [WEB]
- https://www.npmjs.com/advisories/1500 [WEB]