VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 11, 2020· Updated Aug 4, 2024

CVE-2020-7598

CVE-2020-7598

Description

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype Pollution in minimist <=1.2.1 allows attackers to add or modify Object.prototype properties via constructor or __proto__ keys.

Vulnerability

CVE-2020-7598 is a Prototype Pollution vulnerability in the Node.js package minimist, a popular command-line argument parser. Versions before 1.2.2 fail to filter the __proto__ and constructor properties, allowing an attacker to inject arbitrary properties into Object.prototype. This is a classic prototype pollution pattern where untrusted input reaches a recursive merge or property definition by path [1][3].

Exploitation

An attacker can craft command-line arguments such as --__proto__.x 123 or --constructor.prototype.y 123 to pollute the global object prototype. The exploit does not require authentication, as it only requires the ability to pass arguments to a vulnerable script. In typical scenarios, this could be an unprivileged user invoking a Node.js application that uses minimist to parse command-line arguments [4].

Impact

Successful prototype pollution can lead to denial of service by triggering JavaScript exceptions, or tampering with application logic. In more severe cases, it can cause remote code execution by forcing the application into an attacker-controlled code path [3]. Since all JavaScript objects inherit from Object.prototype, the pollution affects the entire application context.

Mitigation

The issue is fixed in minimist version 1.2.2. Users should upgrade to this version or later. There is no known workaround besides updating the package. OpenSUSE also issued an advisory referencing this CVE [2].

References
  1. security notice · minimistjs/minimist@4cf1354
  2. NVD - CVE-2020-7598
  3. Snyk Vulnerability Database | Snyk
  4. v0.2.1 · minimistjs/minimist@10bd4cd

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
minimistnpm
< 0.2.10.2.1
minimistnpm
>= 1.0.0, < 1.2.31.2.3

Affected products

57

Patches

4
10bd4cdf49d9

v0.2.1

https://github.com/minimistjs/minimistJordan HarbandMar 12, 2020via ghsa
commit
3 files changed · +57 4
  • index.js+12 3 modified
    @@ -175,12 +175,21 @@ function hasKey (obj, keys) {
 
 function setKey (obj, keys, value) {
     var o = obj;
-    keys.slice(0,-1).forEach(function (key) {
+    for (var i = 0; i < keys.length-1; i++) {
+        var key = keys[i];
+        if (key === '__proto__') return;
         if (o[key] === undefined) o[key] = {};
+        if (o[key] === Object.prototype || o[key] === Number.prototype
+            || o[key] === String.prototype) o[key] = {};
+        if (o[key] === Array.prototype) o[key] = [];
         o = o[key];
-    });
-    
+    }
+
     var key = keys[keys.length - 1];
+    if (key === '__proto__') return;
+    if (o === Object.prototype || o === Number.prototype
+        || o === String.prototype) o = {};
+    if (o === Array.prototype) o = [];
     if (o[key] === undefined || typeof o[key] === 'boolean') {
         o[key] = value;
     }
  • package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
     "name": "minimist",
-    "version": "0.2.0",
+    "version": "0.2.1",
     "description": "parse argument options",
     "main": "index.js",
     "devDependencies": {
  • test/proto.js+44 0 added
    @@ -0,0 +1,44 @@
+var parse = require('../');
+var test = require('tape');
+
+test('proto pollution', function (t) {
+    var argv = parse(['--__proto__.x','123']);
+    t.equal({}.x, undefined);
+    t.equal(argv.__proto__.x, undefined);
+    t.equal(argv.x, undefined);
+    t.end();
+});
+
+test('proto pollution (array)', function (t) {
+    var argv = parse(['--x','4','--x','5','--x.__proto__.z','789']);
+    t.equal({}.z, undefined);
+    t.deepEqual(argv.x, [4,5]);
+    t.equal(argv.x.z, undefined);
+    t.equal(argv.x.__proto__.z, undefined);
+    t.end();
+});
+
+test('proto pollution (number)', function (t) {
+    var argv = parse(['--x','5','--x.__proto__.z','100']);
+    t.equal({}.z, undefined);
+    t.equal((4).z, undefined);
+    t.equal(argv.x, 5);
+    t.equal(argv.x.z, undefined);
+    t.end();
+});
+
+test('proto pollution (string)', function (t) {
+    var argv = parse(['--x','abc','--x.__proto__.z','def']);
+    t.equal({}.z, undefined);
+    t.equal('...'.z, undefined);
+    t.equal(argv.x, 'abc');
+    t.equal(argv.x.z, undefined);
+    t.end();
+});
+
+test('proto pollution (constructor)', function (t) {
+    var argv = parse(['--constructor.prototype.y','123']);
+    t.equal({}.y, undefined);
+    t.equal(argv.y, undefined);
+    t.end();
+});
4cf1354839cb

security notice

https://github.com/minimistjs/minimistsubstackMar 11, 2020via ghsa
commit
1 file changed · +7 0
  • readme.markdown+7 0 modified
    @@ -29,6 +29,13 @@ $ node example/parse.js -x 3 -y 4 -n5 -abc --beep=boop foo bar baz
   beep: 'boop' }
 ```
 
+# security
+
+Previous versions had a prototype pollution bug that could cause privilege
+escalation in some circumstances when handling untrusted user input.
+
+Please use version 1.2.3 or later: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
+
 # methods
 
 ``` js
38a4d1caead7

even more aggressive checks for protocol pollution

https://github.com/minimistjs/minimistsubstackMar 10, 2020via ghsa
commit
2 files changed · +13 5
  • index.js+11 3 modified
    @@ -68,13 +68,21 @@ module.exports = function (args, opts) {
 
     function setKey (obj, keys, value) {
         var o = obj;
-        keys.slice(0,-1).forEach(function (key) {
+        for (var i = 0; i < keys.length-1; i++) {
+            var key = keys[i];
+            if (key === '__proto__') return;
             if (o[key] === undefined) o[key] = {};
-            if (o[key] === {}.__proto__) o[key] = {};
+            if (o[key] === Object.prototype || o[key] === Number.prototype
+                || o[key] === String.prototype) o[key] = {};
+            if (o[key] === Array.prototype) o[key] = [];
             o = o[key];
-        });
+        }
 
         var key = keys[keys.length - 1];
+        if (key === '__proto__') return;
+        if (o === Object.prototype || o === Number.prototype
+            || o === String.prototype) o = {};
+        if (o === Array.prototype) o = [];
         if (o[key] === undefined || flags.bools[key] || typeof o[key] === 'boolean') {
             o[key] = value;
         }
  • test/proto.js+2 2 modified
    @@ -4,7 +4,7 @@ var test = require('tape');
 test('proto pollution', function (t) {
     var argv = parse(['--__proto__.x','123']);
     t.equal({}.x, undefined);
-    t.equal(argv.__proto__.x, 123);
+    t.equal(argv.__proto__.x, undefined);
     t.equal(argv.x, undefined);
     t.end();
 });
@@ -14,7 +14,7 @@ test('proto pollution (array)', function (t) {
     t.equal({}.z, undefined);
     t.deepEqual(argv.x, [4,5]);
     t.equal(argv.x.z, undefined);
-    t.equal(argv.x.__proto__.z, 789);
+    t.equal(argv.x.__proto__.z, undefined);
     t.end();
 });
63e7ed05aa4b

don't assign onto __proto__

https://github.com/minimistjs/minimistsubstackMar 10, 2020via ghsa
commit
2 files changed · +2 0
  • index.js+1 0 modified
    @@ -70,6 +70,7 @@ module.exports = function (args, opts) {
         var o = obj;
         keys.slice(0,-1).forEach(function (key) {
             if (o[key] === undefined) o[key] = {};
+            if (o[key] === {}.__proto__) o[key] = {};
             o = o[key];
         });
  • test/proto.js+1 0 modified
    @@ -4,5 +4,6 @@ var test = require('tape');
 test('proto pollution', function (t) {
     var argv = parse(['--__proto__.x','123']);
     t.equal({}.x, undefined);
+    t.equal(argv.__proto__.x, 123);
     t.end();
 });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.