CVE-2018-3728 – hoek

Package

Manager: npm
Name: hoek
Vulnerable Version: >=5.0.0 <5.0.3 || >=0 <4.2.1

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01763 pctl0.81891

Details

Prototype Pollution in hoek Versions of `hoek` prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution. The `merge` function, and the `applyToDefaults` and `applyToDefaultsWithShallow` functions which leverage `merge` behind the scenes, are vulnerable to a prototype pollution attack when provided an _unvalidated_ payload created from a JSON string containing the `__proto__` property. This can be demonstrated like so: ```javascript var Hoek = require('hoek'); var malicious_payload = '{"__proto__":{"oops":"It works !"}}'; var a = {}; console.log("Before : " + a.oops); Hoek.merge({}, JSON.parse(malicious_payload)); console.log("After : " + a.oops); ``` This type of attack can be used to overwrite existing properties causing a potential denial of service. ## Recommendation Update to version 4.2.1, 5.0.3 or later.

Metadata

Created: 2018-04-26T15:25:17Z
Modified: 2025-05-29T22:49:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/04/GHSA-jp4x-w63m-7wgm/GHSA-jp4x-w63m-7wgm.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-jp4x-w63m-7wgm
Finding: F390
Auto approve: 1