CVE-2020-7608: yargs-parser Vulnerable to Prototype Pollution
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.30352%
CWE
Published
9/4/2020
Updated
1/27/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
yargs-parser | npm | >= 6.0.0, < 13.1.2 | 13.1.2 |
yargs-parser | npm | >= 14.0.0, < 15.0.1 | 15.0.1 |
yargs-parser | npm | <= 5.0.0 | 5.0.1 |
yargs-parser | npm | >= 16.0.0, < 18.1.1 | 18.1.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from how yargs-parser's core parsing logic handles object notation in arguments. The commit diff shows key sanitization was added to the parse function in index.js, specifically replacing 'proto' with 'proto' during key processing. Before this fix, the code path handling dot-notation keys (keys.slice().forEach() and key assignment) didn't prevent prototype pollution through 'proto' properties. The test cases added in the commit verify that prototype pollution is prevented by checking Object.prototype modifications, confirming the parse function's key handling was the vulnerable component.