jsonic was discovered to contain a prototype pollution via the function empty.

Severity:: High

Description

rjrodger jsonic-next v2.12.1 was discovered to contain a prototype pollution via the function empty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

Recommendation

No fix is available yet. Followings are affected versions:

<= 2.12.1

References

GHSA-4wm9-3qmv-gvxj
CVE-2024-38993
CWE-1321
CWE-94
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Prototype pollution in ag-grid-community via the _.mergeDeep function (GHSA-876p-c77m-x2hc) - CVE-2024-38996
Prototype pollution in ag-grid-community via the _.mergeDeep function - CVE-2024-38996
billboard.js allows prototype pollution via the function generate - CVE-2025-49223
Redoc Prototype Pollution via `Module.mergeObjects` Component - CVE-2024-57083

Tags:: npm; jsonic

Anything's wrong? Let us know Last updated on July 12, 2024