EIQ-2020-0009

ID	EIQ-2020-0009
CVE	CVE-2020-7598
Description	minimist enables prototype pollution
Date	12 Mar 2020
Severity	2 - MEDIUM (Snyk score)
CVSSv3 score	5.6 (Snyk score)
Status	2.7.0
Assessment	minimist versions 1.2.1 and earlier could enable an attacker to inject properties into JavaScript prototype objects (prototype pollution) by exploiting a vulnerability in the recursive `merge` function execution. An attacker could add or modify object prototype properties of `Object.prototype` with a `constructor` or a `__proto__` payload. Modified properties are propagated to all objects through inheritance. An attacker could leverage prototype pollution by remotely executing arbitrary code, or by triggering JavaScript exceptions to carry out a denial of service (DoS) attack.
Mitigation	Upgrade to EclecticIQ Platform 2.7.0 or later. At the moment, it is not possible to globally upgrade minimist, because it occurs at least once as a sub-dependency. Sub-dependencies are indirect dependencies of other third-party dependencies. We cannot control these dependencies. We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers. Restrict network access to only trusted users. Do not allow network access to untrusted users or sources.
Affected versions	2.6.0 and earlier.
Notes	For more information, see: CVE-2020-7598 on mitre.org Snyk report about the vulnerability GitHub commit with the fix This section is not visible to users accessing the public docs, it's for internal reference See also: TP 43871 (prototype-pollution) GitHub PR 3777 Slack thread

< Back to all security issues and mitigation actions

In release notes 2.7.0