CVE-2020-7774: Prototype Pollution

Published Oct 25, 2020
·
Updated

Overview

The npm package y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution.

POC

js const y18n = require('y18n')();

y18n.setLocale('proto'); y18n.updateLocale({polluted: true});

console.log(polluted); // true

Recommendation

Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later.

Other sources

A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality. If an attacker is able to provide untrusted input via locale, they may be able to cause denial of service or in rare circumstances, impact to data integrity or confidentiality.

Node.js y18n module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

IBM

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

This affects the package y18n before 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

Upstream patch: https://github.com/yargs/y18n/pull/108

Red Hat

Affected Software

20 affected componentsFixes available
redhat/rh-nodejs12-nodejs<0:12.19.1-2.el7
0:12.19.1-2.el7
redhat/rh-nodejs14-nodejs<0:14.15.4-2.el7
0:14.15.4-2.el7
redhat/rh-nodejs10-nodejs<0:10.23.1-2.el7
0:10.23.1-2.el7
npm/y18n>=5.0.0<5.0.5
5.0.5
npm/y18n=4.0.0
4.0.1
npm/y18n<3.2.2
3.2.2
redhat/nodejs-y18n<5.0.5
5.0.5
redhat/nodejs-y18n<4.0.1
4.0.1
Y18n Project Y18n Node.js<3.2.2
Y18n Project Y18n Node.js>=5.0.0<5.0.5
Y18n Project Y18n Node.js=4.0.0
Oracle GraalVM=19.3.5
Oracle GraalVM=20.3.1.2
Oracle GraalVM=21.0.0.2
Siemens Sinec Infrastructure Network Services<1.0.1.1
IBM Cloud Pak for Security (CP4S)<=1.6.0.1
IBM Cloud Pak for Security (CP4S)<=1.6.0.0
IBM Cloud Pak for Security (CP4S)<=1.5.0.1
IBM Cloud Pak for Security (CP4S)<=1.5.0.0
IBM Cloud Pak for Security (CP4S)<=1.4.0.0

Remediation

Patch Available

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Patch Available

https://github.com/yargs/y18n/pull/108

Patch Available

https://www.oracle.com/security-alerts/cpuApr2021.html

Event History

Oct 25, 2020
CVE Published
12:00 AM
Nov 17, 2020
CVE Published
via MITRE·12:30 PM
Data Sourced
via MITRE·12:30 PM
DescriptionSeverityWeakness
Mar 29, 2021
Advisory Published
04:05 PM

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2020-7774?

CVE-2020-7774 is a vulnerability in the npm package y18n that allows for Prototype Pollution.

2

How severe is the vulnerability CVE-2020-7774?

The severity of CVE-2020-7774 is critical, with a severity value of 9.8.

3

How can I fix CVE-2020-7774?

To fix CVE-2020-7774, you should upgrade to version 5.0.5 of the y18n package.

4

What is Prototype Pollution?

Prototype Pollution is a vulnerability that allows an attacker to modify the behavior of objects by polluting their prototype.

5

Where can I find more information about CVE-2020-7774?

You can find more information about CVE-2020-7774 on the NIST National Vulnerability Database website.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203
CVE-2020-7774 - Prototype Pollution - SecAlerts