CVE-2020-36604
Prototype Pollution vulnerability in hoek (npm)
What is CVE-2020-36604 About?
The `hoek` library, in versions prior to 8.5.1 and 9.x prior to 9.0.3, is vulnerable to prototype pollution in its `clone` function. This allows an attacker to inject properties into the `Object.prototype`, affecting all objects. This could lead to a denial of service or remote code execution. Exploitation is moderately complex, requiring an object with a `__proto__` key to be passed to the `clone` function.
Affected Software
- @hapi/hoek
- >9.0.0, <9.0.3
- <8.5.1
- hoek
- <=6.1.3
Technical Details
The hoek library's clone function, designed to deep-copy objects, fails to properly handle objects containing the __proto__ key. When clone processes an input object that includes a key named __proto__, it incorrectly interprets this special key. Instead of treating __proto__ as a regular property, the function converts it into a prototype. This means any properties nested under the __proto__ key in the attacker's input will be added to the global Object.prototype. Since Object.prototype is the base prototype for all JavaScript objects, any properties injected here will become accessible on virtually all objects in the application, including those created by the application itself. This effectively allows an attacker to add or modify properties on fundamental JavaScript objects, leading to various impacts such as method overriding, type confusion, or even remote code execution if combined with other vulnerabilities or application logic.
What is the Impact of CVE-2020-36604?
Successful exploitation may allow attackers to inject arbitrary properties into the `Object.prototype`, potentially leading to denial of service, remote code execution (via property overriding or gadget chain), or security bypasses in the affected application.
What is the Exploitability of CVE-2020-36604?
Exploiting this prototype pollution vulnerability requires the attacker to be able to provide an object with a crafted __proto__ key as input to the hoek.clone() function within the application. The complexity is moderate, as it requires the attacker to understand where and how the clone function is used with user-controlled data. Authentication and privilege requirements depend on where the vulnerable clone call is located; if it processes unauthenticated user input, no authentication is needed. This can be a remote or local exploit depending on how the input is supplied. Special conditions involve the application using the hoek library and specifically invoking its clone function with data that an attacker can partially control. Risk factors increasing exploitation likelihood include applications that parse and deep-copy complex JSON or JavaScript objects from untrusted sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-36604?
Available Upgrade Options
- @hapi/hoek
- <8.5.1 → Upgrade to 8.5.1
- @hapi/hoek
- >9.0.0, <9.0.3 → Upgrade to 9.0.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/hapijs/hoek/commit/4d0804bc6135ad72afdc5e1ec002b935b2f5216a
- https://osv.dev/vulnerability/GHSA-c429-5p7v-vgjp
- https://github.com/hapijs/hoek/issues/352
- https://security.snyk.io/vuln/SNYK-JS-HAPIHOEK-548452%29
- https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90
- https://github.com/hapijs/hoek/issues/352
- https://nvd.nist.gov/vuln/detail/CVE-2020-36604
What are Similar Vulnerabilities to CVE-2020-36604?
Similar Vulnerabilities: CVE-2020-28263 , CVE-2020-7712 , CVE-2020-13768 , CVE-2020-28498 , CVE-2021-23343
