CVE-2020-7608
Prototype Pollution vulnerability in yargs-parser (npm)
What is CVE-2020-7608 About?
Affected versions of `yargs-parser` are vulnerable to Prototype Pollution where arguments are not properly sanitized. This allows an attacker to modify the prototype of `Object`, potentially causing widespread application issues and is exploitable if attackers control passed arguments.
Affected Software
- yargs-parser
- >14.0.0, <15.0.1
- >16.0.0, <18.1.1
- <5.0.1
- >6.0.0, <13.1.2
Technical Details
The yargs-parser library, in its affected versions, is vulnerable to a Prototype Pollution attack. This vulnerability arises because the library does not adequately sanitize or validate arguments, specifically when processing dashed arguments such as --foo.__proto__.bar baz. When yargs-parser processes such an argument, it interprets __proto__ as a legitimate property key. Consequently, it directly accesses and modifies the __proto__ property of Object, which is the prototype for all JavaScript objects. By doing so, an attacker can inject or alter properties that will then be inherited by every object in the application, leading to unintended behavior, denial of service, or potentially remote code execution, provided the attacker controls the arguments parsed by yargs-parser.
What is the Impact of CVE-2020-7608?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, which can lead to denial of service, remote code execution, or bypass of security features.
What is the Exploitability of CVE-2020-7608?
Exploitation of this Prototype Pollution vulnerability is of medium complexity, requiring the attacker to have control over the arguments passed to yargs-parser. No authentication is directly required if the vulnerable parsing happens on unauthenticated input. This is typically a remote attack vector, where an attacker can craft malicious command-line arguments, URL parameters, or other forms of input consumed by yargs-parser. Privilege requirements are low, as the attack targets the application's runtime environment rather than system-level access. The risk and likelihood of exploitation increase significantly in applications that accept and parse untrusted user input directly using yargs-parser without appropriate sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7608?
About the Fix from Resolved Security
The patch prevents prototype pollution by sanitizing object keys, replacing any occurrence of __proto__ with ___proto___, which avoids altering the JavaScript object prototype. This fix addresses CVE-2020-7608 by ensuring user-supplied input cannot introduce or overwrite properties on Object.prototype, effectively blocking a key attack vector.
Available Upgrade Options
- yargs-parser
- <5.0.1 → Upgrade to 5.0.1
- yargs-parser
- >6.0.0, <13.1.2 → Upgrade to 13.1.2
- yargs-parser
- >14.0.0, <15.0.1 → Upgrade to 15.0.1
- yargs-parser
- >16.0.0, <18.1.1 → Upgrade to 18.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
- https://osv.dev/vulnerability/GHSA-p9pc-299p-vxgp
- https://www.npmjs.com/advisories/1500
- https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36
- https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2
- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
- https://nvd.nist.gov/vuln/detail/CVE-2020-7608
- https://github.com/yargs/yargs-parser
What are Similar Vulnerabilities to CVE-2020-7608?
Similar Vulnerabilities: CVE-2020-7792 , CVE-2020-35149 , CVE-2019-10747 , CVE-2019-11358 , CVE-2019-16782
