| CARVIEW |
Select Language
HTTP/2 200
date: Tue, 14 Oct 2025 06:05:48 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"46ec7edf42190d8f2ec853aca3188331"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com github.githubassets.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com marketplace-screenshots.githubusercontent.com/ copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=e5bxGz7vrIu0oBdtmi3TEk5jpK2Sq5%2Fbu3lgATcpp%2BDHlX0Ec0%2F7xqcNesn2ALyikW9vTHxHFMtqK45w703R9RKegnXiuIb4d4%2BHQJ3cd8l4m6l1jvZL8a%2F3Ck8rFjjogwoVSt8HApWKU883gs21o87zOFlAfZxoreI8cXElB210maV5rkA4jUbgPNI8i2TNcb7gCDorKidfybcjdJ84WMyCn3PGFaDyPr5iS0ly3P1XaBqohDK5h42S7s6GB%2Bqm9%2B6mPCZF%2BqOMK5ulQkNJ%2Bg%3D%3D--K4QT3CiTyQ1xmr85--ycRrPpDFNlGDxjfAJ8POTg%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.1491355631.1760421947; Path=/; Domain=github.com; Expires=Wed, 14 Oct 2026 06:05:47 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Wed, 14 Oct 2026 06:05:47 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: BDD4:C23E5:44113B:5834D3:68EDE83B
Prototype Pollution in minimist · CVE-2020-7598 · GitHub Advisory Database · GitHub
Skip to content
Navigation Menu
CVE-2020-7598
{{ message }}
Prototype Pollution in minimist
Moderate severity
GitHub Reviewed
Published
Apr 3, 2020
to the GitHub Advisory Database
•
Updated Feb 13, 2024
Description
Published by the National Vulnerability Database
Mar 11, 2020
Reviewed
Apr 3, 2020
Published to the GitHub Advisory Database
Apr 3, 2020
Last updated
Feb 13, 2024
Severity
Moderate
/ 10
CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS score
(49th percentile)
Weaknesses
Weakness CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. Learn more on MITRE.CVE ID
CVE-2020-7598
GHSA ID
GHSA-vh95-rmgr-6w4m
Source code
Loading
Checking history
See something to contribute?
Suggest improvements for this vulnerability.
You can’t perform that action at this time.
Affected versions of
minimistare vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype ofObject, causing the addition or modification of an existing property that will exist on all objects.Parsing the argument
--__proto__.y=Pollutedadds ayproperty with valuePollutedto all objects. The argument--__proto__=Pollutedraises and uncaught error and crashes the application.This is exploitable if attackers have control over the arguments being passed to
minimist.Recommendation
Upgrade to versions 0.2.1, 1.2.3 or later.
References