CVE-2020-7598
MEDIUM5.6EPSS 0.19%Prototype Pollution in minimist
Published: 4/3/2020Modified: 3/13/2026
Also known as:GHSA-vh95-rmgr-6w4m
Description
Affected versions of `minimist` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument `--__proto__.y=Polluted` adds a `y` property with value `Polluted` to all objects. The argument `--__proto__=Polluted` raises and uncaught error and crashes the application. This is exploitable if attackers have control over the arguments being passed to `minimist`. ## Recommendation Upgrade to versions 0.2.1, 1.2.3 or later.
Affected packages (2)
- Debian/node-minimistfrom 0, < 1.2.5-1
- npm/minimistfrom 0, < 0.2.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.6 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
References (10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-7598
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-7598
- PATCHhttps://github.com/substack/minimist
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html
- WEBhttps://github.com/minimistjs/minimist/commit/10bd4cdf49d9686d48214be9d579a9cdfda37c68
- WEBhttps://github.com/minimistjs/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab
- WEBhttps://github.com/minimistjs/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95
- WEBhttps://github.com/minimistjs/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
- WEBhttps://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- WEBhttps://www.npmjs.com/advisories/1179