Minimist.js vulnerability

Issue date: 13-04-2021
Affects versions: 13.4

Security Issue ID

SECURITY-200

Affected Product Version(s)

13.4.7

Severity

low

Description

NPM-1179

Affected versions of `minimist` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument `--__proto__.y=Polluted` adds a `y` property with value `Polluted` to all objects. The argument `--__proto__=Polluted` raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to `minimist`.

Instructions

Customers using a 13.x version should upgrade to the latest version.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Understand Hippo

Implement Hippo

Extend Hippo

Integrate Hippo

Run Hippo

Upgrade Hippo

Develop Hippo

Use Hippo

Report an Issue

Bloomreach Documentation version

Minimist.js vulnerability