Versions of @hapi/hoek prior to 8.5.1 and 9.0.3 are vulnerable to Prototype Pollution. The clone function fails to prevent the modification of the Object prototype when passed specially-crafted input. Attackers may use this to change existing properties that exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
This issue does not affect hapi applications since the framework protects against such malicious inputs. Applications that use @hapi/hoek outside of the hapi ecosystem may be vulnerable.
Recommendation
Update to version 8.5.1, 9.0.3 or later.
Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box.
This PR contains the following updates:
8.5.0->8.5.1GitHub Vulnerability Alerts
GHSA-22h7-7wwg-qmgg
Versions of
@hapi/hoekprior to 8.5.1 and 9.0.3 are vulnerable to Prototype Pollution. Theclonefunction fails to prevent the modification of the Object prototype when passed specially-crafted input. Attackers may use this to change existing properties that exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.This issue does not affect hapi applications since the framework protects against such malicious inputs. Applications that use
@hapi/hoekoutside of the hapi ecosystem may be vulnerable.Recommendation
Update to version 8.5.1, 9.0.3 or later.
Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.