Fluid Attacks Database

Description

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	node-ini	>=0 <2.0.0-1	2.0.0-1
debian 11	node-ini	>=0 <2.0.0-1	2.0.0-1
debian 13	node-ini	>=0 <2.0.0-1	2.0.0-1
debian 14	node-ini	>=0 <2.0.0-1	2.0.0-1
npm	ini	>=0 <1.3.6	1.3.6
rpm rhel9	nodejs-nodemon	<0:2.0.19-1.el9_0	0:2.0.19-1.el9_0
rpm rhel8	nodejs	<1:10.23.1-1.module+el8.3.0+9502+012d8a97	1:10.23.1-1.module+el8.3.0+9502+012d8a97
rpm rhel8.4	nodejs	<1:14.18.2-2.module+el8.4.0+13643+6c0ebf22	1:14.18.2-2.module+el8.4.0+13643+6c0ebf22

Aliases

1. CVE-2020-77882. NVD-2020-77883. OSV-DEBIAN-2020-77884. OSV-2020-77885. GCVE-2020-77886. SECURITY-TRACKER-CVE-2020-77887. lists.debian.org

References

1. https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f12. https://www.npmjs.com/advisories/1589