cbcvebase.
CVE-2020-7774
published 2020-11-17

CVE-2020-7774: The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
69.06%
99.3th percentile
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Affected

13 ranges
VendorProductVersion rangeFixed in
debiannode-y18n< node-y18n 4.0.0-3 (bookworm)node-y18n 4.0.0-3 (bookworm)
oraclegraalvm
oraclegraalvm
oraclegraalvm
paloaltopan-os
siemenssinec_infrastructure_network_services< 1.0.1.11.0.1.1
y18n_projecty18n< 3.2.23.2.2
y18n_projecty18n
y18n_projecty18n>= 0 < 3.2.23.2.2
y18n_projecty18n>= 4.0.0 < 4.0.14.0.1
y18n_projecty18n>= 5.0.0 < 5.0.55.0.5
y18n_projecty18n>= 5.0.0 < 5.0.55.0.5
y18n_projecty18n>= unspecified < 5.0.55.0.5

Detection & IOCsextracted from sources · hover to see the quote

  • ·Vulnerability is scoped as local access only, limiting remote exploitation surface.
  • ·Exploitation requires attacker-controlled untrusted input via the locale functionality of y18n; denial of service is the primary impact, with data integrity/confidentiality impact only in rare circumstances.
  • ·In OpenShift/OSSM/distributed tracing deployments, the vulnerable library is behind OAuth authentication, reducing practical exploitability to authenticated users only.
  • ·In Red Hat OpenShift Container Storage 4, y18n is a dependency of yargs within noobaa-core, but no unsafe usage accepting untrusted input was identified.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian7.3HIGH
vendor_redhat7.3HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.