EIQ-2019-0008#

ID	EIQ-2019-0008
CVE	CVE-2018-3728
Description	hoek enables prototype pollution
Date	05 Feb 2019
Severity	2 - MEDIUM
CVSSv3 score	6.5
Status	✅ 2.5.0
Assessment	The hoek Node.js module versions 4.2.0 and earlier, and from version 5.0.0 to 5.0.2, make it possible for an attacker to use the merge, applyToDefaults, and applyToDefaultsWithShallow functions to pass a non-validated JSON string containing the `__proto__` accessor property. This enables arbitrary adding or modifying object prototype properties. Modified properties are propagated through inheritance to all objects, which can result in a denial of service attack.
Mitigation	Update to hoek 4.2.1, or 6.0.0 or later.
Affected versions	2.1.0 to 2.4.0 included.
Notes	For more information, see: Prototype pollution Prototype pollution attack (Hoek) Prototype pollution affecting hoek package versions <4.2.1 \|\| >=5.0.0 <5.0.3 prototype pollution issues in npm audit log