GHSA-22h7-7wwg-qmgg – @hapi/hoek

Package

Manager: npm
Name: @hapi/hoek
Vulnerable Version: >=8.3.2 <8.5.1 || >=9.0.0 <9.0.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Prototype Pollution in @hapi/hoek Versions of `@hapi/hoek` prior to 8.5.1 and 9.0.3 are vulnerable to Prototype Pollution. The `clone` function fails to prevent the modification of the Object prototype when passed specially-crafted input. Attackers may use this to change existing properties that exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances. This issue __does not__ affect hapi applications since the framework protects against such malicious inputs. Applications that use `@hapi/hoek` outside of the hapi ecosystem may be vulnerable. ## Recommendation Update to version 8.5.1, 9.0.3 or later.

Metadata

Created: 2020-09-04T17:56:39Z
Modified: 2020-08-31T19:00:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-22h7-7wwg-qmgg/GHSA-22h7-7wwg-qmgg.json
CWE IDs: ["CWE-1321"]
Alternative ID: N/A
Finding: F390
Auto approve: 1