Furqan node-whois index.coffee prototype pollution
Description
Furqan node-whois before commit 46ccc2a is vulnerable to prototype pollution via an unknown function in index.coffee, allowing remote attackers to modify object attributes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Furqan node-whois before commit 46ccc2a is vulnerable to prototype pollution via an unknown function in index.coffee, allowing remote attackers to modify object attributes.
Vulnerability
Analysis
What is the vulnerability
CVE-2020-36618 is a critical vulnerability in the node-whois package by FurqanSoftware. The issue resides in an unknown function within the index.coffee file, where input handling allows for improperly controlled modification of object prototype attributes—commonly known as prototype pollution [1]. The specific mechanism is not publicly detailed, but the class of vulnerability typically involves merging or assigning user-supplied properties into an object without proper sanitization, enabling an attacker to inject properties into the global Object.prototype.
Attack vector and exploitation
The vulnerability can be exploited remotely without requiring authentication, as node-whois is a WHOIS client library used in Node.js applications to perform domain lookups [3][4]. An attacker who can control input processed by the library—for example, by crafting malicious WHOIS server responses or supplying specially crafted options objects—may trigger prototype pollution. The attack surface includes any application that uses the node-whois library and processes untrusted data through the affected function.
Impact
Successful prototype pollution can have widespread consequences, including denial of service, property injection, or potentially arbitrary code execution, depending on how the application uses the polluted properties. The vulnerability is rated as critical (CVSS score not yet provided by NVD) due to its ability to globally affect object behavior in the Node.js runtime, leading to security bypasses or further exploitation [1].
Mitigation
A patch is available in commit 46ccc2aee8d063c7b6b4dee2c2834113b7286076 [2]. Users are strongly advised to update their node-whois dependency to a version that includes this fix. The package is distributed via npm as whois [4]; upgrading to version 2.13.9 or later (if that release incorporates the patch) is recommended. There is no evidence of the vulnerability being exploited in the wild or added to CISA's Known Exploited Vulnerabilities catalog at the time of writing.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
whoisnpm | < 2.13.6 | 2.13.6 |
Affected products
2- Range: n/a
Patches
146ccc2aee8d0fix(vulnerability): Prototype Pollution Vulnerability (#105)
1 file changed · +4 −0
index.coffee+4 −0 modified@@ -14,6 +14,10 @@ cleanParsingErrors = (string) => if typeof done is 'undefined' and typeof options is 'function' done = options options = {} + + if addr == '__proto__' + done new Error 'lookup: __proto__ is not allowed to lookup' + return _.defaults options, follow: 2
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-97jv-c342-5xhcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-36618ghsaADVISORY
- github.com/FurqanSoftware/node-whois/commit/46ccc2aee8d063c7b6b4dee2c2834113b7286076ghsaWEB
- github.com/FurqanSoftware/node-whois/pull/105ghsaWEB
- vuldb.comghsaWEB
- web.archive.org/web/20220403104013/https://www.npmjs.com/package/whoisghsaWEB
News mentions
0No linked articles in our index yet.