CVE-2020-36604 – @hapi/hoek

Package

Manager: npm
Name: @hapi/hoek
Vulnerable Version: >=0 <8.5.1 || >=9.0.0 <9.0.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00679 pctl0.70657

Details

hoek subject to prototype pollution via the clone function. hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1.

Metadata

Created: 2022-09-25T00:00:27Z
Modified: 2025-05-28T19:35:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-c429-5p7v-vgjp/GHSA-c429-5p7v-vgjp.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-c429-5p7v-vgjp
Finding: F390
Auto approve: 1