Prototype pollution attack in hoek (via hawk and request)

[jeemok]

Expected result

Expected to pass NSP, however, failed because it has a vulnerable dependency.

Additional information

(+) 1 vulnerabilities found
┌───────────────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│               │ Prototype pollution attack                                                                                                                                                 │
├───────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Name          │ hoek                                                                                                                                                                       │
├───────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ CVSS          │ 4 (Medium)                                                                                                                                                                 │
├───────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Installed     │ 4.2.0                                                                                                                                                                      │
├───────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Vulnerable    │ <= 4.2.0 || >= 5.0.0 < 5.0.3                                                                                                                                               │
├───────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Patched       │ > 4.2.0 < 5.0.0 || >= 5.0.3                                                                                                                                                │
├───────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Path          │ htm-next-api@1.0.0 > loopback@3.16.2 > strong-remoting@3.6.0 > request@2.83.0 > hawk@6.0.2 > hoek@4.2.0                                                                    │
├───────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ More Info     │ https://nodesecurity.io/advisories/566                                                                                                                                     │
└───────────────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

Ref: https://hackerone.com/reports/310439
Related issue: hapijs/hoek#230
Related PR: hapijs/hoek#231

[virkt25]

Hi @jeemok, unfortunately this issue is cause by a downstream dependency as can be seen in the Path from the NSP report. hoek has a fix, hawk picked it up in version 7.x.x but request still uses 6.x.x. So till request doesn't get updated, we can't do anything. See issue request/request#2874

There is an issue in their repository so a patch should be coming soon & if it's not a major release (I don't expect it to be, it should be picked up by the rest of the dependencies automatically).

I'll leave this issue open to verify we're good once request is updated.

[joshrickert]

Hoek's backported the fix and released it with 4.2.1, which satisfies the required versions all the way up the dependency tree without needing any changes in this repo. I was able to clear out the security notice by forcing an update:

npm install hoek@4.2.1 --save
npm uninstall hoek --save

Clearing out your node_modules and package-lock.json then running a fresh npm install should also do the trick.