CVE-2020-7774
Prototype Pollution vulnerability in y18n (npm)
What is CVE-2020-7774 About?
This vulnerability is a Prototype Pollution flaw in the `y18n` npm package versions before 3.2.2, 4.0.1, and 5.0.5. It allows an attacker to inject arbitrary properties into `Object.prototype`, which can lead to various impacts including data manipulation and potential remote code execution. Exploitation is relatively easy if an attacker can control input to the package.
Affected Software
- y18n
- >5.0.0, <5.0.5
- <3.2.2
- >4.0.0, <4.0.1
Technical Details
The y18n npm package is vulnerable to Prototype Pollution. This vulnerability occurs when an attacker can control specific keys or values in data passed to the y18n.setLocale() and y18n.updateLocale() functions. By setting the locale to __proto__ and then modifying properties via updateLocale(), an attacker can directly inject or modify properties on Object.prototype. The provided Proof of Concept (POC) demonstrates this: y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true. This shows that a polluted property is successfully added to Object.prototype, and thus becomes accessible on all objects, indicating a successful prototype pollution attack.
What is the Impact of CVE-2020-7774?
Successful exploitation may allow attackers to inject properties into all JavaScript objects, manipulate application logic, bypass security controls, and potentially achieve remote code execution or cause a denial of service.
What is the Exploitability of CVE-2020-7774?
Exploitation is of low to medium complexity, requiring an attacker to be able to control the input to the setLocale and updateLocale functions of the y18n package. There are no explicit authentication or privilege requirements. This is a remote exploitation scenario if the application exposes an interface that takes user-controlled input and uses it with these y18n functions, such as language selection in a web application. The main prerequisite is the ability to inject the __proto__ string as a locale, followed by arbitrary JSON data. The direct manifestation of the polluted property on globally accessible objects highlights the ease with which this vulnerability can be demonstrated and leveraged.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7774?
About the Fix from Resolved Security
This patch fixes CVE-2020-7774 by changing the initialization of the cache from a plain object ({}) to an object created with Object.create(null), which removes the prototype chain. This prevents attackers from exploiting prototype pollution vulnerabilities, such as overriding properties like proto, thereby protecting against malicious manipulation of application behavior.
Available Upgrade Options
- y18n
- <3.2.2 → Upgrade to 3.2.2
- y18n
- >4.0.0, <4.0.1 → Upgrade to 4.0.1
- y18n
- >5.0.0, <5.0.5 → Upgrade to 5.0.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://github.com/yargs/y18n/issues/96
- https://github.com/yargs/y18n/pull/108
- https://osv.dev/vulnerability/GHSA-c4w7-xm78-47vh
- https://snyk.io/vuln/SNYK-JS-Y18N-1021887
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306
- https://github.com/yargs/y18n
What are Similar Vulnerabilities to CVE-2020-7774?
Similar Vulnerabilities: CVE-2020-7707 , CVE-2020-7598 , CVE-2020-36632 , CVE-2021-23429 , CVE-2019-10744
