Miggo Logo

CVE-2020-7608: yargs-parser Vulnerable to Prototype Pollution

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.30352%
Published
9/4/2020
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
yargs-parsernpm>= 6.0.0, < 13.1.213.1.2
yargs-parsernpm>= 14.0.0, < 15.0.115.0.1
yargs-parsernpm<= 5.0.05.0.1
yargs-parsernpm>= 16.0.0, < 18.1.118.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how yargs-parser's core parsing logic handles object notation in arguments. The commit diff shows key sanitization was added to the parse function in index.js, specifically replacing 'proto' with 'proto' during key processing. Before this fix, the code path handling dot-notation keys (keys.slice().forEach() and key assignment) didn't prevent prototype pollution through 'proto' properties. The test cases added in the commit verify that prototype pollution is prevented by checking Object.prototype modifications, confirming the parse function's key handling was the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `y*r*s-p*rs*r` *r* vuln*r**l* to prototyp* pollution. *r*um*nts *r* not prop*rly s*nitiz**, *llowin* *n *tt**k*r to mo*i*y t** prototyp* o* `O*j**t`, **usin* t** ***ition or mo*i*i**tion o* *n *xistin* prop*rty t**t will *xist on

Reasoning

T** vuln*r**ility st*ms *rom *ow y*r*s-p*rs*r's *or* p*rsin* lo*i* **n*l*s o*j**t not*tion in *r*um*nts. T** *ommit *i** s*ows k*y s*nitiz*tion w*s ***** to t** p*rs* *un*tion in in**x.js, sp**i*i**lly r*pl**in* '__proto__' wit* '___proto___' *urin*