CVE-2020-7598
prototype pollution vulnerability in minimist (npm)
What is CVE-2020-7598 About?
This vulnerability is a prototype pollution flaw in affected versions of `minimist`, where arguments are not properly sanitized. Attackers can modify the prototype of `Object`, adding or changing properties that will exist on all objects, leading to various impacts including denial of service. Exploitation is relatively easy if an attacker can control input to the package.
Affected Software
- minimist
- <0.2.1
- >1.0.0, <1.2.3
Technical Details
The minimist package is vulnerable to prototype pollution because it does not adequately sanitize arguments. Specifically, when parsing arguments like --__proto__.y=Polluted or --__proto__=Polluted, the package directly interprets __proto__ as a property to be modified on the Object prototype. This attack vector allows an attacker to inject arbitrary properties and values into Object.prototype, which then propagates to all objects in the JavaScript environment. Sending --__proto__.y=Polluted would add a y property to all objects, while --__proto__=Polluted would cause an uncaught error, leading to an application crash (denial of service). This occurs because minimist's argument parsing logic directly maps input keys to object properties without sufficient validation or sanitation for the __proto__ property.
What is the Impact of CVE-2020-7598?
Successful exploitation may allow attackers to inject properties into all JavaScript objects, manipulate application logic, bypass security controls, and potentially achieve remote code execution or cause a denial of service.
What is the Exploitability of CVE-2020-7598?
Exploitation is of low to medium complexity, as it requires an attacker to have control over the arguments being passed to the minimist package. There are typically no authentication or privilege requirements beyond input control. This is a remote exploitation scenario if the application exposes an interface that accepts user-controlled arguments, such as command-line utilities or web interfaces that parse query parameters using minimist. The key prerequisite is unsanitized user input reaching the argument parser. The ability to cause an application crash with --__proto__=Polluted makes it a viable denial-of-service vector, while custom property injection could lead to more severe, application-specific impacts.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7598?
About the Fix from Resolved Security
This patch prevents setting properties on special objects like __proto__, Object.prototype, Number.prototype, String.prototype, and Array.prototype, blocking prototype pollution attacks. By skipping assignments to these keys and prototypes, it mitigates the risk of injecting arbitrary properties into global prototypes, which is the root cause of CVE-2020-7598.
Available Upgrade Options
- minimist
- <0.2.1 → Upgrade to 0.2.1
- minimist
- >1.0.0, <1.2.3 → Upgrade to 1.2.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/minimistjs/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab
- https://github.com/minimistjs/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://www.npmjs.com/advisories/1179
- https://github.com/minimistjs/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95
- https://github.com/minimistjs/minimist/commit/10bd4cdf49d9686d48214be9d579a9cdfda37c68
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-7598
- https://github.com/substack/minimist
What are Similar Vulnerabilities to CVE-2020-7598?
Similar Vulnerabilities: CVE-2020-7774 , CVE-2020-7707 , CVE-2020-36632 , CVE-2021-23429 , CVE-2019-10744
