Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTIyaDctN3d3Zy1xbWdn

Prototype Pollution in @hapi/hoek

Versions of @hapi/hoek prior to 8.5.1 and 9.0.3 are vulnerable to Prototype Pollution. The clone function fails to prevent the modification of the Object prototype when passed specially-crafted input. Attackers may use this to change existing properties that exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
This issue does not affect hapi applications since the framework protects against such malicious inputs. Applications that use @hapi/hoek outside of the hapi ecosystem may be vulnerable.

Recommendation

Update to version 8.5.1, 9.0.3 or later.

Permalink: https://github.com/advisories/GHSA-22h7-7wwg-qmgg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTIyaDctN3d3Zy1xbWdn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 4 years ago
Updated: almost 2 years ago

Identifiers: GHSA-22h7-7wwg-qmgg
References:

Blast Radius: 0.0

Affected Packages

npm:@hapi/hoek

Dependent packages: 396
Dependent repositories: 2,019,365
Downloads: 69,107,752 last month
Affected Version Ranges: >= 9.0.0, < 9.0.3, >= 8.3.2, < 8.5.1
Fixed in: 9.0.3, 8.5.1
All affected versions: 8.3.2, 8.4.0, 8.5.0, 9.0.0, 9.0.1, 9.0.2
All unaffected versions: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 7.0.0, 7.1.0, 7.2.0, 7.2.1, 8.0.0, 8.0.1, 8.0.2, 8.1.0, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.3.0, 8.3.1, 8.5.1, 9.0.3, 9.0.4, 9.1.0, 9.1.1, 9.2.0, 9.2.1, 9.3.0, 10.0.0, 10.0.1, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.0.7