All minimist CVEs — Complete Vulnerability History
minimist parses command-line arguments. Despite its tiny size, it's one of the most downloaded npm packages and a common transitive dependency. Prototype pollution in argument parsing has been patched twice.
npm
100M+ weekly downloads
2 CVEs total
1 CRITICAL
🔴 CISA KEV
Full CVE history
🔴 1 CVE on CISA KEV — actively exploited in real attacks
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2020-7598 | 2020 | MEDIUM | Prototype pollution via crafted argument | Fixed 0.2.1 |
| CVE-2021-44906 | 2021 | 🔴CRITICAL | Prototype pollution — more severe bypass — CISA KEV | Fixed 1.2.6 |
Current safe version: 1.2.6
# Before
"minimist": "1.2.5"
# After
"minimist": "1.2.6"
Then run: npm install
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Why is minimist CRITICAL?
CVE-2021-44906 has CVSS 9.8 because prototype pollution via command-line argument parsing can be exploited remotely in applications that parse user-controlled arguments. The attack surface is large.
How do I fix minimist if it's transitive?
Use npm overrides: {"overrides": {"minimist": "1.2.6"}}. minimist appears in hundreds of tools as a transitive dep — the override is the practical fix without updating every parent package.