CVE-2018-3728
Description
hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
hoek versions before 4.2.0 and 5.0.x before 5.0.3 allow prototype pollution via merge and applyToDefaults.
Vulnerability
The hoek Node.js module prior to version 4.2.0 and versions 5.0.x before 5.0.3 contains a prototype pollution vulnerability in the merge and applyToDefaults functions. The functions do not properly restrict the modification of __proto__ properties, allowing an attacker to modify the prototype of Object. This affects all objects in the runtime [2].
Exploitation
An attacker can supply a crafted object with a __proto__ key to the merge or applyToDefaults functions. When the function processes the input, it merges the __proto__ property into the target object's prototype chain, effectively polluting the global Object.prototype. No special privileges are required; the attacker only needs to control the input to these functions [2].
Impact
Successful exploitation allows the attacker to add or modify properties on all objects in the Node.js process. This can lead to denial of service, unexpected behavior, or privilege escalation in applications that rely on object property checks. In some contexts, it may enable remote code execution if downstream code uses the polluted properties [2].
Mitigation
The fix is available in hoek versions 4.2.0 and 5.0.3 [2]. Red Hat has released updated packages for Red Hat Mobile Application Platform (RHMAP) that include the fixed version [1][4]. Users should upgrade to the latest patched versions immediately. If upgrading is not possible, avoid passing user-controlled input directly to merge or applyToDefaults functions.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hoeknpm | >= 5.0.0, < 5.0.3 | 5.0.3 |
hoeknpm | < 4.2.1 | 4.2.1 |
Affected products
3- hapi/hoek node modulev5Range: Versions before 5.0.3
Patches
232ed5c941332skip assignment to __proto__
2 files changed · +13 −0
lib/index.js+4 −0 modified@@ -115,6 +115,10 @@ exports.merge = function (target, source, isNullOverride /* = true */, isMergeAr const keys = Object.keys(source); for (let i = 0; i < keys.length; ++i) { const key = keys[i]; + if (key === '__proto__') { + continue; + } + const value = source[key]; if (value && typeof value === 'object') {
test/index.js+9 −0 modified@@ -585,6 +585,15 @@ describe('merge()', () => { Hoek.merge({ x: {} }, a); expect(a.x.toString()).to.equal('abc'); }); + + it('skips __proto__', () => { + + const a = '{ "ok": "value", "__proto__": { "test": "value" } }'; + + const b = Hoek.merge({}, JSON.parse(a)); + expect(b).to.equal({ ok: 'value' }); + expect(b.test).to.equal(undefined); + }); }); describe('applyToDefaults()', () => {
5aed1a8c4a3dskip assignment to __proto__
2 files changed · +13 −0
lib/index.js+4 −0 modified@@ -113,6 +113,10 @@ exports.merge = function (target, source, isNullOverride /* = true */, isMergeAr const keys = Object.keys(source); for (let i = 0; i < keys.length; ++i) { const key = keys[i]; + if (key === '__proto__') { + continue; + } + const value = source[key]; if (value && typeof value === 'object') {
test/index.js+9 −0 modified@@ -614,6 +614,15 @@ describe('merge()', () => { expect(a.x.toString()).to.equal('abc'); done(); }); + + it('skips __proto__', () => { + + const a = '{ "ok": "value", "__proto__": { "test": "value" } }'; + + const b = Hoek.merge({}, JSON.parse(a)); + expect(b).to.equal({ ok: 'value' }); + expect(b.test).to.equal(undefined); + }); }); describe('applyToDefaults()', () => {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- access.redhat.com/errata/RHSA-2018:1263ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2018:1264ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-jp4x-w63m-7wgmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-3728ghsaADVISORY
- www.securityfocus.com/bid/103108mitrevdb-entryx_refsource_BID
- github.com/hapijs/hoek/commit/32ed5c9413321fbc37da5ca81a7cbab693786deeghsax_refsource_CONFIRMWEB
- github.com/hapijs/hoek/commit/5aed1a8c4a3d55722d1c799f2368857bf418d6dfghsaWEB
- hackerone.com/reports/310439ghsax_refsource_MISCWEB
- nodesecurity.io/advisories/566mitrex_refsource_CONFIRM
- snyk.io/vuln/npm:hoek:20180212ghsax_refsource_MISCWEB
- web.archive.org/web/20200227131737/https://www.securityfocus.com/bid/103108ghsaWEB
News mentions
0No linked articles in our index yet.