CVE-2018-3728: Prototype pollution attack

March 30, 2018 (updated October 9, 2019)

The merge function, and the applyToDefaults and applyToDefaultsWithShallow functions which leverage merge behind the scenes, are vulnerable to a prototype pollution attack when provided an unvalidated payload created from a JSON string containing the __proto__ property.

References

github.com/hapijs/hoek/commit/32ed5c9413321fbc37da5ca81a7cbab693786dee
github.com/hapijs/hoek/commit/5aed1a8c4a3d55722d1c799f2368857bf418d6df
hackerone.com/reports/310439

Code Behaviors & Features

Detect and mitigate CVE-2018-3728 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →