CVE-2020-36604: 
JavaScript vulnerability analysis and mitigation

A prototype pollution vulnerability was discovered in the hoek package versions before 8.5.1 and 9.x before 9.0.3. The vulnerability was identified and assigned CVE-2020-36604, with the public disclosure date of September 23, 2022. The issue specifically affects the clone() function within the package (CVE Mitre, Debian Tracker).

The vulnerability exists in the clone() function of the hapi/hoek package, where if an object with proto key is passed to clone(), the key is converted to a prototype, enabling prototype pollution. The vulnerability has been assigned a CVSS 3.1 score of 8.1 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (Ubuntu Security).

The vulnerability could potentially lead to prototype pollution, which might affect the integrity and security of applications using the affected versions of the hoek package. However, it's noted that this is considered low risk and hard to exploit, particularly in systems like hapi handlers where input validation prevents invalid objects from entering the application (GitHub Issue).

The vulnerability has been fixed in versions 8.5.1 and 9.0.3 of the hoek package. Users are advised to upgrade to these or later versions to mitigate the vulnerability. The fix was implemented through commit 948baf98634a5c206875b67d11368f133034fa90 for version 9.0.3 (Debian Tracker).