5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-7608

GHSA ID

GHSA-p9pc-299p-vxgp

EPSS Score

0.30352%

CWE

CWE-915

Published

9/4/2020

Updated

1/27/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-7608

CVE-2020-7608: yargs-parser Vulnerable to Prototype Pollution

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Recommendation

Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-7608

GHSA ID

GHSA-p9pc-299p-vxgp

EPSS Score

0.30352%

CWE

CWE-915

Published

9/4/2020

Updated

1/27/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
yargs-parser	npm	>= 6.0.0, < 13.1.2	13.1.2
yargs-parser	npm	>= 14.0.0, < 15.0.1	15.0.1
yargs-parser	npm	<= 5.0.0	5.0.1
yargs-parser	npm	>= 16.0.0, < 18.1.1	18.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how yargs-parser's core parsing logic handles object notation in arguments. The commit diff shows key sanitization was added to the parse function in index.js, specifically replacing 'proto' with 'proto' during key processing. Before this fix, the code path handling dot-notation keys (keys.slice().forEach() and key assignment) didn't prevent prototype pollution through 'proto' properties. The test cases added in the commit verify that prototype pollution is prevented by checking Object.prototype modifications, confirming the parse function's key handling was the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `y*r*s-p*rs*r` *r* vuln*r**l* to prototyp* pollution. *r*um*nts *r* not prop*rly s*nitiz**, *llowin* *n *tt**k*r to mo*i*y t** prototyp* o* `O*j**t`, **usin* t** ***ition or mo*i*i**tion o* *n *xistin* prop*rty t**t will *xist on

Reasoning

T** vuln*r**ility st*ms *rom *ow y*r*s-p*rs*r's *or* p*rsin* lo*i* **n*l*s o*j**t not*tion in *r*um*nts. T** *ommit *i** s*ows k*y s*nitiz*tion w*s ***** to t** p*rs* *un*tion in in**x.js, sp**i*i**lly r*pl**in* '__proto__' wit* '___proto___' *urin*

5.3

Basic Information

Concerned about an active attack path?

CVE-2020-7608: yargs-parser Vulnerable to Prototype Pollution

Recommendation

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI