Skip to content

Prototype Pollution in @hapi/hoek

Low severity GitHub Reviewed Published Sep 4, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm @hapi/hoek (npm)

Affected versions

>= 8.3.2, < 8.5.1
>= 9.0.0, < 9.0.3

Patched versions

8.5.1
9.0.3

Description

Versions of @hapi/hoek prior to 8.5.1 and 9.0.3 are vulnerable to Prototype Pollution. The clone function fails to prevent the modification of the Object prototype when passed specially-crafted input. Attackers may use this to change existing properties that exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
This issue does not affect hapi applications since the framework protects against such malicious inputs. Applications that use @hapi/hoek outside of the hapi ecosystem may be vulnerable.

Recommendation

Update to version 8.5.1, 9.0.3 or later.

References

Reviewed Aug 31, 2020
Published to the GitHub Advisory Database Sep 4, 2020
Last updated Jan 9, 2023

Severity

Low

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-22h7-7wwg-qmgg

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.