CVE-2021-44906

Name of the Vulnerable Software and Affected Versions Minimist versions 0.2.4 and earlier, 1.2.5 and earlier

Description The issue is related to a Prototype Pollution vulnerability via the file index.js, specifically the setKey() function. This vulnerability can be exploited if an attacker has control over the arguments being passed to minimist, allowing them to modify the prototype of Object and add or modify existing properties. For example, parsing the argument -- proto .y=Polluted can add a y property with value Polluted to all objects. The argument -- proto =Polluted can raise an uncaught error and crash the application.

Recommendations For Minimist version 0.2.4 and earlier, upgrade to version 0.2.1 or later. For Minimist version 1.2.5 and earlier, upgrade to version 1.2.3 or later. As a temporary workaround, consider restricting the use of the setKey() function in the index.js file until a patch is available. Avoid using the -- proto argument in the affected API endpoint until the issue is resolved.