Miggo Logo
Miggo Vulnerability Database
CVE-2020-36618

CVE-2020-36618: FurqanSoftware/node-whois vulnerable to Prototype Pollution

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-36618
GHSA ID
GHSA-97jv-c342-5xhc
EPSS Score
0.22216%
CWE
CWE-74
Published
12/19/2022
Updated
1/29/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
whoisnpm< 2.13.62.13.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the lookup function's failure to validate the 'addr' parameter. The patch (46ccc2a) explicitly adds a check for 'proto' in the addr parameter and rejects it, indicating this was the injection point. The prototype pollution occurred because the function processed attacker-controlled keys that could modify prototype properties. The CWE-1321 classification and GitHub advisory confirm this is a prototype pollution vulnerability in the lookup flow.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility *l*ssi*i** *s *riti**l **s ***n *oun* in *urq*n no**-w*ois. *****t** is *n unknown *un*tion o* t** *il* `in**x.*o****`. T** m*nipul*tion l***s to improp*rly *ontroll** mo*i*i**tion o* o*j**t prototyp* *ttri*ut*s ('prototyp* pollution'

Reasoning

T** vuln*r**ility st*ms *rom t** lookup *un*tion's **ilur* to v*li**t* t** '***r' p*r*m*t*r. T** p*t** (*******) *xpli*itly ***s * ****k *or '__proto__' in t** ***r p*r*m*t*r *n* r*j**ts it, in*i**tin* t*is w*s t** inj**tion point. T** prototyp* poll