Vulnerabilities affecting this package (0)
| Vulnerability |
Summary |
Fixed by |
|
This package is not known to be affected by vulnerabilities.
|
Vulnerabilities fixed by this package (2)
| Vulnerability |
Summary |
Aliases |
|
VCID-f9fx-rs6v-x7d4
|
hoek subject to prototype pollution via the clone function.
hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1.
|
CVE-2020-36604
GHSA-c429-5p7v-vgjp
|
|
VCID-yk3z-5fjt-q7gb
|
Prototype Pollution in hoek
Versions of `hoek` prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.
The `merge` function, and the `applyToDefaults` and `applyToDefaultsWithShallow` functions which leverage `merge` behind the scenes, are vulnerable to a prototype pollution attack when provided an _unvalidated_ payload created from a JSON string containing the `__proto__` property.
This can be demonstrated like so:
```javascript
var Hoek = require('hoek');
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';
var a = {};
console.log("Before : " + a.oops);
Hoek.merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);
```
This type of attack can be used to overwrite existing properties causing a potential denial of service.
|
CVE-2018-3728
GHSA-jp4x-w63m-7wgm
|