VYPR
← All advisories
High severityNVD Advisory· Published Nov 17, 2020· Updated Sep 16, 2024

Prototype Pollution

CVE-2020-7774

Description

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The y18n package before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution, allowing potential RCE or DoS.

Vulnerability

Overview

The y18n npm package, a utility used by yargs for internationalization, is vulnerable to Prototype Pollution before versions 3.2.2, 4.0.1, and 5.0.5 [1][2]. Prototype Pollution occurs when an attacker manipulates a JavaScript object's prototype—typically via __proto__, constructor, or prototype attributes—to inject arbitrary properties into the base Object.prototype [3]. These injected properties are then inherited by all objects in the application, altering expected behavior.

Attack

Vector and Exploitation

Prototype Pollution in y18n can be triggered through unsafe recursive merge operations or property definition by path [3][4]. In a typical attack, the library processes user-controlled input that contains a malicious __proto__ property. When y18n recursively copies properties from the input object into a target, it does not properly block prototype keys. This flaw allows an attacker to pollute the global object prototype by merging nested __proto__ objects, as described in the Snyk advisory [3]. No authentication is required for exploitation, and the attack surface is increased in any application that uses y18n to handle untrusted configuration or arguments.

Impact

Successful exploitation can lead to Denial of Service (DoS) by causing JavaScript exceptions, or, more critically, Remote Code Execution (RCE) by forcing the application into a code path controlled by the attacker [3][4]. Polluting Object.prototype can override property definitions used by the application logic, eventually enabling arbitrary script execution.

Mitigation

Users should upgrade y18n to version 3.2.2, 4.0.1, or 5.0.5 or later [1][2]. No workaround exists beyond patching the dependency. The vulnerability has been fixed in the referenced versions, and the fix disallows assignment to prototype properties during the merge process.

References
  1. NVD - CVE-2020-7774
  2. Prototype pollution
  3. Snyk Vulnerability Database | Snyk
  4. Snyk Vulnerability Database | Snyk

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
y18nnpm
< 3.2.23.2.2
y18nnpm
>= 4.0.0, < 4.0.14.0.1
y18nnpm
>= 5.0.0, < 5.0.55.0.5

Affected products

62

Patches

2
90401eea9062

fix: address prototype pollution

https://github.com/yargs/y18nbcoeJan 4, 2021via ghsa
commit
4 files changed · +26 2
  • CHANGELOG.md+6 0 added
    @@ -0,0 +1,6 @@
+### 3.2.2 (2021-01-04)
+
+
+### Bug Fixes
+
+* address prototype pollution issue ([#108](https://www.github.com/yargs/y18n/issues/108)) ([a9ac604](https://www.github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25))
  • index.js+1 1 modified
    @@ -11,7 +11,7 @@ function Y18N (opts) {
   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
 
   // internal stuff.
-  this.cache = {}
+  this.cache = Object.create(null)
   this.writeQueue = []
 }
  • package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "y18n",
-  "version": "3.2.1",
+  "version": "3.2.2",
   "description": "the bare-bones internationalization library used by yargs",
   "main": "index.js",
   "scripts": {
  • test/y18n-test.js+18 0 modified
    @@ -336,6 +336,24 @@ describe('y18n', function () {
     })
   })
 
+  // See: https://github.com/yargs/y18n/issues/96,
+  // https://github.com/yargs/y18n/pull/107
+  describe('prototype pollution', function () {
+    it('does not pollute prototype, with __proto__ locale', function () {
+      const y = y18n()
+      y.setLocale('__proto__')
+      y.updateLocale({ polluted: '👽' })
+      y.__('polluted').should.equal('👽')
+      ;(typeof polluted).should.equal('undefined')
+    })
+
+    it('does not pollute prototype, when __ is used with __proto__ locale', function () {
+      const __ = y18n({ locale: '__proto__' }).__
+      __('hello')
+      ;(typeof {}.hello).should.equal('undefined')
+    })
+  })
+
   after(function () {
     rimraf.sync('./test/locales/fr.json')
   })
a9ac604abf75

fix: address prototype pollution issue (#108)

https://github.com/yargs/y18nBenjamin E. CoeOct 25, 2020via ghsa
commit
2 files changed · +19 1
  • lib/index.ts+1 1 modified
    @@ -47,7 +47,7 @@ class Y18N {
     this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
 
     // internal stuff.
-    this.cache = {}
+    this.cache = Object.create(null)
     this.writeQueue = []
   }
  • test/y18n-test.cjs+18 0 modified
    @@ -351,6 +351,24 @@ describe('y18n', function () {
     })
   })
 
+  // See: https://github.com/yargs/y18n/issues/96,
+  // https://github.com/yargs/y18n/pull/107
+  describe('prototype pollution', () => {
+    it('does not pollute prototype, with __proto__ locale', () => {
+      const y = y18n()
+      y.setLocale('__proto__')
+      y.updateLocale({ polluted: '👽' })
+      y.__('polluted').should.equal('👽')
+      ;(typeof polluted).should.equal('undefined')
+    })
+
+    it('does not pollute prototype, when __ is used with __proto__ locale', () => {
+      const __ = y18n({ locale: '__proto__' }).__
+      __('hello')
+      ;(typeof {}.hello).should.equal('undefined')
+    })
+  })
+
   after(function () {
     rimraf.sync('./test/locales/fr.json')
   })

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.