NodeJS/yargs-parser/3.2.0
the mighty option parser used by yargs
https://www.npmjs.com/package/yargs-parser
ISC
1 Security Vulnerabilities
yargs-parser Vulnerable to Prototype Pollution
Published date: 2020-09-04T18:00:54Z
CVE: CVE-2020-7608
Links:
- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
- https://github.com/advisories/GHSA-p9pc-299p-vxgp
- https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2
- https://nvd.nist.gov/vuln/detail/CVE-2020-7608
- https://www.npmjs.com/advisories/1500
- https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36
Affected versions of yargs-parser
are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object
, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz'
adds a bar
property with value baz
to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser
.
Recommendation
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Affected versions:
["16.0.0", "16.1.0", "17.0.0", "17.0.1", "17.1.0", "18.0.0", "18.1.0", "18.1.1-beta.0", "1.0.0", "1.1.0", "1.1.1-alpha", "1.1.1-alpha2", "1.1.1-alpha3", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.4.0-next", "2.4.0", "2.4.1", "3.1.0", "3.2.0", "4.0.0", "4.0.1", "4.0.2", "4.1.0", "4.2.0", "4.2.1", "4.2.1-candidate.0", "4.2.1-candidate.1", "5.0.0", "5.0.0-security.0", "6.0.0", "6.0.1", "7.0.0", "8.0.0", "8.1.0", "9.0.0", "9.0.1", "9.0.2", "10.0.0", "10.1.0", "11.0.0", "11.1.0", "11.1.1", "12.0.0", "13.0.0-candidate.0", "13.0.0", "13.1.0", "13.1.1", "14.0.0", "15.0.0"]
Secure versions:
[15.0.1, 13.1.2, 18.1.1, 18.1.2, 18.1.3, 19.0.0-beta.0, 19.0.0-beta.1, 19.0.0-beta.2, 19.0.0-beta.3, 19.0.0, 19.0.1, 19.0.4, 20.0.0, 20.1.0, 20.2.0, 20.2.1, 20.2.2, 20.2.3, 20.2.4, 20.2.5, 20.2.6, 5.0.1, 20.2.7, 15.0.2, 15.0.3, 20.2.9, 21.0.0, 21.0.1, 21.1.0, 21.1.1]
Recommendation:
Update to version 21.1.1.
83 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
21.1.1 | ISC | 2022-08-04 - 21:13 | over 2 years | |
21.1.0 | ISC | 2022-08-03 - 19:24 | over 2 years | |
21.0.1 | ISC | 2022-02-27 - 15:10 | almost 3 years | |
21.0.0 | ISC | 2021-11-16 - 02:49 | about 3 years | |
20.2.9 | ISC | 2021-06-20 - 23:54 | over 3 years | |
20.2.7 | ISC | 2021-03-10 - 19:33 | over 3 years | |
20.2.6 | ISC | 2021-02-22 - 02:46 | almost 4 years | |
20.2.5 | ISC | 2021-02-13 - 20:13 | almost 4 years | |
20.2.4 | ISC | 2020-11-09 - 01:50 | about 4 years | |
20.2.3 | ISC | 2020-10-16 - 15:45 | about 4 years | |
20.2.2 | ISC | 2020-10-14 - 19:00 | about 4 years | |
20.2.1 | ISC | 2020-10-01 - 18:23 | about 4 years | |
20.2.0 | ISC | 2020-09-21 - 02:54 | about 4 years | |
20.1.0 | ISC | 2020-09-20 - 04:34 | about 4 years | |
20.0.0 | ISC | 2020-09-09 - 17:53 | about 4 years | |
19.0.4 | ISC | 2020-08-27 - 05:38 | over 4 years | |
19.0.1 | ISC | 2020-08-09 - 04:27 | over 4 years | |
19.0.0 | ISC | 2020-08-09 - 04:16 | over 4 years | |
19.0.0-beta.3 | ISC | 2020-08-06 - 04:16 | over 4 years | |
19.0.0-beta.2 | ISC | 2020-08-04 - 05:24 | over 4 years | |
19.0.0-beta.1 | ISC | 2020-07-19 - 02:18 | over 4 years | |
19.0.0-beta.0 | ISC | 2020-07-19 - 00:00 | over 4 years | |
18.1.3 | ISC | 2020-04-16 - 20:13 | over 4 years | |
18.1.2 | ISC | 2020-03-26 - 17:14 | over 4 years | |
18.1.1 | ISC | 2020-03-16 - 07:19 | over 4 years | |
18.1.1-beta.0 | ISC | 1 | 2020-03-12 - 18:20 | over 4 years |
18.1.0 | ISC | 1 | 2020-03-07 - 19:43 | over 4 years |
18.0.0 | ISC | 1 | 2020-03-02 - 06:01 | almost 5 years |
17.1.0 | ISC | 1 | 2020-03-01 - 01:35 | almost 5 years |
17.0.1 | ISC | 1 | 2020-02-29 - 21:03 | almost 5 years |
17.0.0 | ISC | 1 | 2020-02-10 - 03:52 | almost 5 years |
16.1.0 | ISC | 1 | 2019-11-01 - 22:41 | about 5 years |
16.0.0 | ISC | 1 | 2019-10-27 - 02:54 | about 5 years |
15.0.3 | ISC | 2021-06-20 - 22:52 | over 3 years | |
15.0.2 | ISC | 2021-06-20 - 22:52 | over 3 years | |
15.0.1 | ISC | 2020-03-13 - 20:56 | over 4 years | |
15.0.0 | ISC | 1 | 2019-10-07 - 00:09 | about 5 years |
14.0.0 | ISC | 1 | 2019-09-06 - 19:36 | about 5 years |
13.1.2 | ISC | 2020-03-13 - 21:21 | over 4 years | |
13.1.1 | ISC | 1 | 2019-06-10 - 01:17 | over 5 years |
13.1.0 | ISC | 1 | 2019-05-05 - 21:33 | over 5 years |
13.0.0 | ISC | 1 | 2019-02-02 - 21:30 | almost 6 years |
13.0.0-candidate.0 | ISC | 1 | 2019-02-02 - 20:43 | almost 6 years |
12.0.0 | ISC | 1 | 2019-01-29 - 00:49 | almost 6 years |
11.1.1 | ISC | 1 | 2018-11-19 - 23:34 | about 6 years |
11.1.0 | ISC | 1 | 2018-11-10 - 00:30 | about 6 years |
11.0.0 | ISC | 1 | 2018-10-06 - 22:52 | about 6 years |
10.1.0 | ISC | 1 | 2018-06-29 - 05:14 | over 6 years |
10.0.0 | ISC | 1 | 2018-04-04 - 02:10 | over 6 years |
9.0.2 | ISC | 1 | 2018-01-20 - 23:23 | almost 7 years |
9.0.1 | ISC | 1 | 2018-01-20 - 23:03 | almost 7 years |
9.0.0 | ISC | 1 | 2018-01-20 - 22:47 | almost 7 years |
8.1.0 | ISC | 1 | 2017-12-20 - 06:20 | almost 7 years |
8.0.0 | ISC | 1 | 2017-10-05 - 06:22 | about 7 years |
7.0.0 | ISC | 1 | 2017-05-02 - 05:59 | over 7 years |
6.0.1 | ISC | 1 | 2017-05-01 - 05:57 | over 7 years |
6.0.0 | ISC | 1 | 2017-05-01 - 00:52 | over 7 years |
5.0.1 | ISC | 2021-03-10 - 19:21 | over 3 years | |
5.0.0 | ISC | 1 | 2017-02-18 - 19:58 | almost 8 years |
5.0.0-security.0 | ISC | 1 | 2020-05-22 - 00:32 | over 4 years |
4.2.1 | ISC | 1 | 2017-01-02 - 19:42 | almost 8 years |
4.2.1-candidate.1 | ISC | 1 | 2017-01-06 - 23:22 | almost 8 years |
4.2.1-candidate.0 | ISC | 1 | 2017-01-06 - 22:51 | almost 8 years |
4.2.0 | ISC | 1 | 2016-12-01 - 18:49 | about 8 years |
4.1.0 | ISC | 1 | 2016-11-07 - 06:31 | about 8 years |
4.0.2 | ISC | 1 | 2016-09-30 - 06:52 | about 8 years |
4.0.1 | ISC | 1 | 2016-09-30 - 06:36 | about 8 years |
4.0.0 | ISC | 1 | 2016-09-26 - 05:38 | about 8 years |
3.2.0 | ISC | 1 | 2016-08-13 - 19:53 | over 8 years |
3.1.0 | ISC | 1 | 2016-08-09 - 06:26 | over 8 years |
2.4.1 | ISC | 1 | 2016-07-16 - 22:51 | over 8 years |
2.4.0 | ISC | 1 | 2016-04-11 - 06:04 | over 8 years |
2.4.0-next | ISC | 1 | 2016-04-11 - 03:04 | over 8 years |
2.2.0 | ISC | 1 | 2016-03-30 - 06:15 | over 8 years |
2.1.2 | ISC | 1 | 2016-03-20 - 19:04 | over 8 years |
2.1.1 | ISC | 1 | 2016-02-23 - 06:54 | almost 9 years |
2.1.0 | ISC | 1 | 2016-02-14 - 09:04 | almost 9 years |
2.0.0 | ISC | 1 | 2016-02-06 - 20:39 | almost 9 years |
1.1.1-alpha3 | ISC | 1 | 2016-02-01 - 06:13 | almost 9 years |
1.1.1-alpha2 | ISC | 1 | 2016-01-30 - 20:29 | almost 9 years |
1.1.1-alpha | ISC | 1 | 2016-01-29 - 06:18 | almost 9 years |
1.1.0 | ISC | 1 | 2016-01-24 - 22:43 | almost 9 years |
1.0.0 | ISC | 1 | 2016-01-23 - 21:12 | almost 9 years |