PackageFix / CISA KEV / CVE-2021-44906

CVE-2021-44906 — minimist Prototype Pollution CRITICAL

🔴 CISA KEV CVSS 9.8

Prototype pollution in minimist's argument parsing allows attackers to modify Object.prototype via crafted arguments. minimist is a transitive dependency of thousands of npm packages — even if you don't use it directly, you almost certainly have it.

🔴 Actively Exploited

CVE-2021-44906 is on the CISA Known Exploited Vulnerabilities catalog. Being used in real attacks right now. Fix immediately.

Affected package

PackageVulnerableSafe versionFix guide
minimist< 1.2.61.2.6Fix guide →

Timeline

Mar 2022CVE filed — more severe prototype pollution bypass
Mar 2022minimist 1.2.6 released as fix
CISAAdded to KEV — exploitation via npm supply chain attacks
OngoingMillions of installs of transitive minimist < 1.2.6

Paste your manifest — get a fixed version with all CVEs patched in seconds.

Open PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

How do I fix minimist if it's not in my package.json?
Use npm overrides: {"overrides": {"minimist": "1.2.6"}}. PackageFix generates this block automatically when it detects a transitive minimist vulnerability.
Why is this CVSS 9.8 for an argument parser?
Prototype pollution via command-line argument parsing can be exploited remotely in applications that parse user-controlled parameters. The CVSS score reflects the worst-case remote exploitation scenario.

Related

All CISA KEV Packages

Full actively exploited list

Fix minimist

Full fix guide with CVE history

Supply Chain Attack Guide

5 attacks npm audit misses

What is CISA KEV?

Plain-English explanation