Lucene search
HoLyVieRNODEJS:566HistoryApr 20, 2018 - 9:25 p.m.
Prototype Pollution
2018-04-2021:25:58
HoLyVieR
www.npmjs.com
248
0.01 Low
EPSS
Percentile
83.9%
Overview
Versions of hoek prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.
The merge function, and the applyToDefaults and applyToDefaultsWithShallow functions which leverage merge behind the scenes, are vulnerable to a prototype pollution attack when provided an unvalidated payload created from a JSON string containing the __proto__ property.
This can be demonstrated like so:
var Hoek = require('hoek');
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';
var a = {};
console.log("Before : " + a.oops);
Hoek.merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);
This type of attack can be used to overwrite existing properties causing a potential denial of service.
Recommendation
Update to version 4.2.1, 5.0.3 or later.
References
| CPE | Name | Operator | Version |
|---|---|---|---|
| hoek | le | 4.2.0 || >= 5.0.0 < 5.0.3 |
Related
hackerone
hackerone
Node.js third-party modules: Prototype pollution attack (Hoek)
2018-01-30 06:24:55
ubuntucve
ubuntucve
CVE-2018-3728
2018-03-30 00:00:00
debiancve
debiancve
CVE-2018-3728
2018-03-30 19:29:00
nessus
nessus
RHEL 8 : hoek (Unpatched Vulnerability)
2024-05-11 00:00:00
RHEL 8 : nodejs-hoek (Unpatched Vulnerability)
2024-06-03 00:00:00
RHEL 7 : Red Hat Mobile Application Platform 4.6.0 (RHSA-2018:1263)
2018-05-04 00:00:00
cve
cve
CVE-2018-3728
2018-03-30 19:29:00
redhatcve
redhatcve
CVE-2018-3728
2020-04-01 02:12:07
osv
osv
Prototype Pollution in hoek
2018-04-26 15:25:17
CVE-2018-3728
2018-03-30 19:29:00
prion
prion
Code injection
2018-03-30 19:29:00
cvelist
cvelist
CVE-2018-3728
2018-03-30 19:00:00
nvd
nvd
CVE-2018-3728
2018-03-30 19:29:00
ibm
ibm
veracode
veracode
Prototype Pollution
2018-02-15 05:41:21
github
github
Prototype Pollution in hoek
2018-04-26 15:25:17
redhat
redhat