Minimist.js vulnerability

Issue date: 13-04-2021
Affects versions: 13.4

Security Issue ID

SECURITY-200

Affected Product Version(s)

13.4.7

Severity

low

Description

NPM-1179

Affected versions of `minimist` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument `--__proto__.y=Polluted` adds a `y` property with value `Polluted` to all objects. The argument `--__proto__=Polluted` raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to `minimist`.

Instructions

Customers using a 13.x version should upgrade to the latest version.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Deploy in BloomReach Cloud

Use Blue-Green Deployment in BloomReach Cloud

Understand

Implement

Extend

Integrate

Run

Upgrade

Develop

Use

Bloomreach Documentation version

Minimist.js vulnerability