Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWpwNHgtdzYzbS03d2dt

Prototype Pollution in hoek

Versions of hoek prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.

The merge function, and the applyToDefaults and applyToDefaultsWithShallow functions which leverage merge behind the scenes, are vulnerable to a prototype pollution attack when provided an unvalidated payload created from a JSON string containing the __proto__ property.

This can be demonstrated like so:

var Hoek = require('hoek');
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';

var a = {};
console.log("Before : " + a.oops);
Hoek.merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);

This type of attack can be used to overwrite existing properties causing a potential denial of service.

Recommendation

Update to version 4.2.1, 5.0.3 or later.

Permalink: https://github.com/advisories/GHSA-jp4x-w63m-7wgm
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWpwNHgtdzYzbS03d2dt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 6 years ago
Updated: about 1 year ago

CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-jp4x-w63m-7wgm, CVE-2018-3728
References:

• https://nvd.nist.gov/vuln/detail/CVE-2018-3728
• https://hackerone.com/reports/310439
• https://github.com/advisories/GHSA-jp4x-w63m-7wgm
• https://www.npmjs.com/advisories/566
• https://github.com/hapijs/hoek/commit/32ed5c9413321fbc37da5ca81a7cbab693786dee
• https://access.redhat.com/errata/RHSA-2018:1263
• https://access.redhat.com/errata/RHSA-2018:1264
• https://snyk.io/vuln/npm:hoek:20180212
• http://www.securityfocus.com/bid/103108

Repository: https://github.com/hapijs/hoek
Blast Radius: 50.1

Affected Packages