Miggo Logo
Miggo Vulnerability Database
CVE-2020-36604

CVE-2020-36604: hoek subject to prototype pollution via the clone function.

8.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-36604
GHSA ID
GHSA-c429-5p7v-vgjp
EPSS Score
0.70464%
CWE
CWE-1321
Published
9/25/2022
Updated
2/7/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
@hapi/hoeknpm< 8.5.18.5.1
@hapi/hoeknpm>= 9.0.0, < 9.0.39.0.3
hoeknpm<= 6.1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability documentation explicitly states the clone() function is the entry point for prototype pollution. The GitHub commit diffs (4d0804b and 948baf9) show code changes in lib/clone.js where a check for 'proto' keys was added to prevent prototype pollution. The test case added in test/index.js specifically validates this fix by ensuring cloned objects don't inherit prototype properties from 'proto' keys. This direct correlation between the vulnerability description, CWE-1321 classification, and code changes confirms the clone function in lib/clone.js as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*o*k v*rsions prior to *.*.*, *n* *.x prior to *.*.* *r* vuln*r**l* to prototyp* pollution in t** *lon* *un*tion. I* *n o*j**t wit* t** __proto__ k*y is p*ss** to *lon*() t** k*y is *onv*rt** to * prototyp*. T*is issu* **s ***n p*t**** in v*rsion *.*

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly st*t*s t** *lon*() *un*tion is t** *ntry point *or prototyp* pollution. T** *it*u* *ommit *i**s (******* *n* *******) s*ow *o** ***n**s in li*/*lon*.js w**r* * ****k *or '__proto__' k*ys w*s ***** to pr*v*nt