CVE-2020-7598

MEDIUM

minimist < 1.2.2 - Prototype Pollution via Constructor or __proto__ Payload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-7598. PoCs published by renewablehacking.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2020-7598, demonstrating a prototype pollution vulnerability in the 'minimist' library. The exploit leverages improper handling of user input to manipulate object properties, leading to unauthorized privilege escalation.

Description

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.

Exploits (1)

nomisec WORKING POC
by renewablehacking · poc
https://github.com/renewablehacking/CVE-2020-7598

This repository contains a functional PoC for CVE-2020-7598, demonstrating a prototype pollution vulnerability in the 'minimist' library. The exploit leverages improper handling of user input to manipulate object properties, leading to unauthorized privilege escalation.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: minimist (versions affected by CVE-2020-7598)
No auth needed
Prerequisites: Node.js environment · Express.js framework
devstral-2 · analyzed May 25, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html

Scores

CVSS v3 5.6
EPSS 0.0019
EPSS Percentile 41.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

CWE
CWE-1321
Status published
Products (3)
npm/minimist 0 - 0.2.1npm
opensuse/leap 15.1
substack/minimist < 1.2.2
Published Mar 11, 2020
Tracked Since Feb 18, 2026