What is CVE-2020-7774?

CVE-2020-7774 is a vulnerability in the npm package y18n that allows for Prototype Pollution.

How severe is the vulnerability CVE-2020-7774?

The severity of CVE-2020-7774 is critical, with a severity value of 9.8.

How can I fix CVE-2020-7774?

To fix CVE-2020-7774, you should upgrade to version 5.0.5 of the y18n package.

What is Prototype Pollution?

Prototype Pollution is a vulnerability that allows an attacker to modify the behavior of objects by polluting their prototype.

Where can I find more information about CVE-2020-7774?

You can find more information about CVE-2020-7774 on the NIST National Vulnerability Database website.

Vulnerability/
CVE-2020-7774

critical

9.8

CWE

20 915 1321

25/10/2020

29/3/2021

29/11/2023

CVE-2020-7774: Input Validation

First published: Sun Oct 25 2020(Updated: )

### Overview The npm package `y18n` before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution. ### POC ```js const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true ``` ### Recommendation Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later.

Credit: report@snyk.io report@snyk.io

Affected Software	Affected Version	How to fix
npm/y18n	>=5.0.0<5.0.5	5.0.5
npm/y18n	=4.0.0	4.0.1
npm/y18n	<3.2.2	3.2.2
IBM Security Verify Governance	<=10.0
	<3.2.2
	>=5.0.0<5.0.5
	=4.0.0
Oracle GraalVM	=19.3.5
Oracle GraalVM	=20.3.1.2
Oracle GraalVM	=21.0.0.2
Siemens Sinec Infrastructure Network Services	<1.0.1.1
Y18n Project Y18n	<3.2.2
Y18n Project Y18n	>=5.0.0<5.0.5
Y18n Project Y18n	=4.0.0
redhat/nodejs-y18n	<5.0.5	5.0.5
redhat/nodejs-y18n	<4.0.1	4.0.1
redhat/rh-nodejs12-nodejs	<0:12.19.1-2.el7	0:12.19.1-2.el7
redhat/rh-nodejs14-nodejs	<0:14.15.4-2.el7	0:14.15.4-2.el7
redhat/rh-nodejs10-nodejs	<0:10.23.1-2.el7	0:10.23.1-2.el7

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2020-7774?
CVE-2020-7774 is a vulnerability in the npm package y18n that allows for Prototype Pollution.
How severe is the vulnerability CVE-2020-7774?
The severity of CVE-2020-7774 is critical, with a severity value of 9.8.
How can I fix CVE-2020-7774?
To fix CVE-2020-7774, you should upgrade to version 5.0.5 of the y18n package.
What is Prototype Pollution?
Prototype Pollution is a vulnerability that allows an attacker to modify the behavior of objects by polluting their prototype.
Where can I find more information about CVE-2020-7774?
You can find more information about CVE-2020-7774 on the NIST National Vulnerability Database website.

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/remedy
agent/severity
agent/softwarecombine
agent/tags
agent/type
agent/weakness
collector/github-advisory
alias/GHSA-c4w7-xm78-47vh
alias/CVE-2020-7774
collector/github-advisory-latest
collector/ibm-support
collector/nvd-cve
collector/nvd-index
agent/software-canonical-lookup
collector/redhat-bugzilla
source/Red Hat
collector/redhat-cve
package-manager/npm
vendor/ibm
canonical/ibm security verify governance
version/ibm security verify governance/10.0
vendor/y18n project
vendor/oracle
canonical/oracle graalvm
version/oracle graalvm/19.3.5
version/oracle graalvm/20.3.1.2
version/oracle graalvm/21.0.0.2
vendor/siemens
canonical/siemens sinec infrastructure network services
canonical/y18n project y18n
version/y18n project y18n/5.0.0
version/y18n project y18n/4.0.0
package-manager/redhat