Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/node-hoek@5.0.3-1?distro=trixie
purl pkg:deb/debian/node-hoek@5.0.3-1?distro=trixie
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-yk3z-5fjt-q7gb Prototype Pollution in hoek Versions of `hoek` prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution. The `merge` function, and the `applyToDefaults` and `applyToDefaultsWithShallow` functions which leverage `merge` behind the scenes, are vulnerable to a prototype pollution attack when provided an _unvalidated_ payload created from a JSON string containing the `__proto__` property. This can be demonstrated like so: ```javascript var Hoek = require('hoek'); var malicious_payload = '{"__proto__":{"oops":"It works !"}}'; var a = {}; console.log("Before : " + a.oops); Hoek.merge({}, JSON.parse(malicious_payload)); console.log("After : " + a.oops); ``` This type of attack can be used to overwrite existing properties causing a potential denial of service. CVE-2018-3728
GHSA-jp4x-w63m-7wgm

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T12:19:18.964453+00:00 Debian Importer Fixing VCID-yk3z-5fjt-q7gb https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-13T08:25:42.345157+00:00 Debian Importer Fixing VCID-yk3z-5fjt-q7gb https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-03T07:47:09.359213+00:00 Debian Importer Fixing VCID-yk3z-5fjt-q7gb https://security-tracker.debian.org/tracker/data/json 38.1.0