Fix CVE–2021–44906

[debricked]

CVE–2021–44906

Vulnerability details

Description

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

NVD

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

GitHub

Prototype Pollution in minimist

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

CVSS details - 9.8

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity	High
Availability	High

References

    Prototype Pollution in minimist · CVE-2021-44906 · GitHub Advisory Database · GitHub
    NVD - CVE-2021-44906
    insufficient fix for prototype pollution in setKey() CVE-2021-44906 · Issue #164 · substack/minimist · GitHub
    minimist/index.js at master · substack/minimist · GitHub
    javascript - Adding custom properties to a function - Stack Overflow
    JavaScript-vulnerability-detection/minimist PoC.zip at main · Marynk/JavaScript-vulnerability-detection · GitHub
    don't assign onto proto · substack/minimist@63e7ed0 · GitHub
    even more aggressive checks for protocol pollution · substack/minimist@38a4d1c · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE