Fluid Attacks Database

Description

Prototype Pollution in y18n

Overview

The npm package y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution.

POC

const y18n = require('y18n')();

y18n.setLocale('__proto__');
y18n.updateLocale({polluted: true});

console.log(polluted); // true

Recommendation

Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	y18n	>=0 <3.2.2 \|\| =4.0.0 \|\| >=4.0.0 <4.0.1 \|\| >=5.0.0 <5.0.5	3.2.2, 4.0.1, 5.0.5
alpine v3.22	nodejs	>=0 <14.16.1-r0	14.16.1-r0
alpine v3.10	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.3-r0 \|\| =10.19.0-r0 \|\| =10.24.0-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <10.24.1-r0	10.24.1-r0
alpine v3.12	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =12.20.1-r0 \|\| =12.21.0-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <12.22.1-r0	12.22.1-r0
alpine v3.14	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <14.16.1-r0	14.16.1-r0
alpine v3.15	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <14.16.1-r0	14.16.1-r0
alpine v3.16	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <14.16.1-r0	14.16.1-r0
alpine v3.17	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <14.16.1-r0	14.16.1-r0
alpine v3.18	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <14.16.1-r0	14.16.1-r0
alpine v3.11	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.20.1-r0 \|\| =12.21.0-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <12.22.1-r0	12.22.1-r0

1-10 of 20

Aliases

1. CVE-2020-77742. NVD-2020-77743. OSV-2020-77744. OSV-ALPINE-2020-77745. OSV-DEBIAN-2020-77746. GCVE-2020-77747. SECURITY-CVE-2020-77748. SECURITY-TRACKER-CVE-2020-7774

References

1. https://github.com/yargs/y18n/issues/962. https://github.com/yargs/y18n/pull/1083. https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a34. https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f255. https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf6. https://www.oracle.com/security-alerts/cpuApr2021.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.