jaysaurus/co-koa-core

A Model View Controller built on Koa.
Vulnerabilities 1 via 1 paths
Dependencies 194
Source GitHub
Commit 8141c1b4

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0
medium severity
new

Prototype Pollution

  • Vulnerable module: yargs-parser
  • Introduced through: yargs@12.0.5

Detailed paths

  • Introduced through: co-koa-core@jaysaurus/co-koa-core#8141c1b49012ffd97d7c8e5c87a45583fc5747b4 yargs@12.0.5 yargs-parser@11.1.1
    Remediation: Upgrade to yargs@13.1.0.

Overview

yargs-parser is a mighty option parser used by yargs.

Affected versions of this package are vulnerable to Prototype Pollution. The library could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.

Our research team checked several attack vectors to verify this vulnerability:

  1. It could be used for privilege escalation.
  2. The library could be used to parse user input received from different sources:
    • terminal emulators
    • system calls from other code bases
    • CLI RPC servers

PoC by Snyk

const parser = require("yargs-parser");
console.log(parser('--foo.__proto__.bar baz'));
console.log(({}).bar);

Remediation

Upgrade yargs-parser to version 13.1.2, 15.0.1, 18.1.1 or higher.

References