GHSA-c4w7-xm78-47vh

Source

https://github.com/advisories/GHSA-c4w7-xm78-47vh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-c4w7-xm78-47vh/GHSA-c4w7-xm78-47vh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c4w7-xm78-47vh

Aliases

CVE-2020-7774

Published

2021-03-29T16:05:12Z

Modified

2024-12-05T15:28:53.812442Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

Prototype Pollution in y18n

Details

Overview

The npm package y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution.

POC

const y18n = require('y18n')();

y18n.setLocale('__proto__');
y18n.updateLocale({polluted: true});

console.log(polluted); // true

Recommendation

Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later.

Database specific

{
    "nvd_published_at": "2020-11-17T13:15:00Z",
    "cwe_ids": [
        "CWE-1321",
        "CWE-20",
        "CWE-915"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-12T21:23:11Z"
}

References

Affected packages

npm / y18n

Package

Name: y18n; View open source insights on deps.dev
Purl: pkg:npm/y18n

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.2

Ecosystem specific

{
    "affected_functions": [
        "(y18n)"
    ]
}

npm / y18n

Package

Name: y18n; View open source insights on deps.dev
Purl: pkg:npm/y18n

Affected ranges

Type: SEMVER
Events: Introduced

4.0.0

Fixed

4.0.1

Affected versions

4.*

4.0.0

Ecosystem specific

{
    "affected_functions": [
        "(y18n)"
    ]
}

npm / y18n

Package

Name: y18n; View open source insights on deps.dev
Purl: pkg:npm/y18n

Affected ranges

Type: SEMVER
Events: Introduced

5.0.0

Fixed

5.0.5

Ecosystem specific

{
    "affected_functions": [
        "(y18n)"
    ]
}