Platform
nodejs
Component
yargs-parser
Opgelost in
18.1.2
13.1.2
CVE-2020-7608 is a prototype pollution vulnerability affecting the yargs-parser package. This vulnerability allows attackers to modify the prototype of Object, potentially leading to unexpected behavior and security implications within applications using yargs-parser. The vulnerability impacts versions prior to 13.1.2, 15.0.1, and 18.1.1, and a fix is available in those versions.
Prototype pollution occurs when an attacker can manipulate the prototype of JavaScript objects, effectively adding or modifying properties that will be inherited by all objects created thereafter. In the context of yargs-parser, this vulnerability arises from insufficient sanitization of arguments passed to the parser. An attacker who can control the arguments passed to yargs-parser can exploit this to inject malicious properties into the Object.prototype, potentially affecting the behavior of the application. While direct remote code execution is unlikely, the modified prototype can lead to denial-of-service conditions, unexpected application behavior, or even privilege escalation depending on how the parsed arguments are used within the application. This vulnerability shares similarities with other prototype pollution attacks, where subtle modifications can have widespread consequences.
CVE-2020-7608 was published on September 4, 2020. There is no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept (POC) code is available, demonstrating the feasibility of prototype pollution using yargs-parser. This vulnerability is not listed on KEV or EPSS, indicating a low to medium probability of exploitation in the wild, primarily due to the requirement for attacker control over arguments passed to the parser.
Exploit Status
EPSS
0.13% (32% percentiel)
CVSS-vector
The primary mitigation for CVE-2020-7608 is to upgrade to a patched version of yargs-parser. Versions 13.1.2, 15.0.1, and 18.1.1 or later address the vulnerability. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the arguments passed to yargs-parser to prevent malicious input from reaching the parser. While a direct WAF rule is unlikely, stricter input validation at the application level can help. Carefully review any code that uses the parsed arguments to ensure it handles unexpected properties gracefully. After upgrading, confirm the fix by attempting to pass a malicious argument like --foo.proto.bar baz to yargs-parser and verifying that the bar property is not added to Object.prototype.
Actualice la versión de yargs-parser a la 18.1.1 o superior. Si no es posible actualizar a la última versión, actualice a las versiones 13.1.2 o 15.0.1, que también contienen la corrección para esta vulnerabilidad. Esto evitará que un payload '__proto__' modifique las propiedades de Object.prototype.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2020-7608 is a medium severity prototype pollution vulnerability in the yargs-parser package. It allows attackers to modify the prototype of Object, potentially impacting application behavior if they can control arguments passed to the parser.
You are affected if you are using a version of yargs-parser prior to 13.1.2, 15.0.1, or 18.1.1 and your application allows attackers to control the arguments passed to the parser.
Upgrade to version 13.1.2, 15.0.1, or 18.1.1 or later. Implement input validation on arguments passed to yargs-parser as a temporary workaround.
There is no current evidence of active exploitation campaigns targeting CVE-2020-7608, but public POC code exists.
Refer to the yargs-parser GitHub repository for updates and advisories: https://github.com/yargs/yargs-parser
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.