This content cannot be displayed without JavaScript.
Please enable JavaScript and reload the page.

EIQ-2019-0008

ID	EIQ-2019-0008
CVE	CVE-2018-3728
Description	hoek enables prototype pollution
Date	05 Feb 2019
Severity	2 - MEDIUM
CVSSv3 score	6.5
Status	2.5.0
Assessment	The hoek Node.js module versions 4.2.0 and earlier, and from version 5.0.0 to 5.0.2, make it possible for an attacker to use the `merge`, `applyToDefaults`, and `applyToDefaultsWithShallow` functions to pass a non-validated JSON string containing the `__proto__` accessor property. This enables arbitrary adding or modifying object prototype properties. Modified properties are propagated through inheritance to all objects, which can result in a denial of service attack.
Mitigation	Update to hoek 4.2.1, or 6.0.0 or later.
Affected versions	2.1.0 to 2.4.0 included.
Notes	For more information, see: Prototype pollution Prototype pollution attack (Hoek) Prototype pollution affecting hoek package versions <4.2.1 \|\| >=5.0.0 <5.0.3 prototype pollution issues in npm audit log

< Back to all security issues and mitigation actions

In release notes 2.3.3

In release notes 2.3.4

In release notes 2.5.0