{"id":"CVE-2020-7774","details":"The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.","aliases":["GHSA-c4w7-xm78-47vh"],"modified":"2026-04-16T04:40:32.048555593Z","published":"2020-11-17T13:15:12.633Z","related":["ALSA-2020:5499","ALSA-2021:0548","ALSA-2021:0551","SNYK-JAVA-ORGWEBJARSNPM-1038306","SNYK-JS-Y18N-1021887","SUSE-SU-2021:2319-1","SUSE-SU-2021:2323-1","SUSE-SU-2021:2326-1","SUSE-SU-2021:2327-1","SUSE-SU-2021:2353-1","SUSE-SU-2021:2354-1","SUSE-SU-2021:2618-1","SUSE-SU-2021:2620-1","openSUSE-SU-2021:1059-1","openSUSE-SU-2021:1060-1","openSUSE-SU-2021:1061-1","openSUSE-SU-2021:1113-1","openSUSE-SU-2021:2327-1","openSUSE-SU-2021:2353-1","openSUSE-SU-2021:2354-1","openSUSE-SU-2021:2618-1","openSUSE-SU-2024:11096-1"],"references":[{"type":"FIX","url":"https://github.com/yargs/y18n/pull/108"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"FIX","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"},{"type":"EVIDENCE","url":"https://github.com/yargs/y18n/issues/96"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JS-Y18N-1021887"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/graalvm/graalvm-ce-builds","events":[{"introduced":"0"},{"last_affected":"251e15bf41dcc0c1b4e3debdb7d01f7082734ddd"},{"introduced":"0"},{"last_affected":"3c6e4c01b14bb666c14501160ba526442b051b5a"},{"introduced":"0"},{"last_affected":"2ada493c63db015cc41bca1021f0e567f51893c6"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"19.3.5"},{"introduced":"0"},{"last_affected":"20.3.1.2"},{"introduced":"0"},{"last_affected":"21.0.0.2"}]}},{"type":"GIT","repo":"https://github.com/yargs/y18n","events":[{"introduced":"5553c05002da5a4ad8c52662b54513ebace74331"},{"fixed":"e343b70fbe8245c0a02a5615eee1bbd6bcaac1d6"},{"introduced":"0"},{"last_affected":"45d2568800d6c57be045e76dc4984b2ef3432233"}],"database_specific":{"versions":[{"introduced":"5.0.0"},{"fixed":"5.0.5"},{"introduced":"0"},{"last_affected":"4.0.0"}]}}],"versions":["v1.1.0","v2.0.0","v3.0.0","v3.1.0","v3.2.0","v3.2.1","v4.0.0","v5.0.0","v5.0.1","v5.0.2","v5.0.3","v5.0.4","v5.0.5","vm-19.3.2","vm-19.3.2-pre","vm-19.3.3","vm-19.3.4","vm-19.3.5","vm-20.0.1","vm-20.1.0","vm-20.2.0","vm-20.3.0","vm-20.3.1","vm-20.3.1.2","vm-21.0.0","vm-21.0.0.2"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"3.2.2"}]},{"events":[{"introduced":"0"},{"fixed":"1.0.1.1"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-7774.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}