jsonic was discovered to contain a prototype pollution via the function empty.

Severity:: High

Description

rjrodger jsonic-next v2.12.1 was discovered to contain a prototype pollution via the function empty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

Recommendation

No fix is available yet. Followings are affected versions:

<= 2.12.1

References

GHSA-4wm9-3qmv-gvxj
CVE-2024-38993
CWE-1321
CWE-94
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Regular Expression Denial of Service (ReDoS) in lodash (GHSA-29mw-wpgm-hmr9) 3 - CVE-2020-28500
Regular Expression Denial of Service (ReDoS) in lodash (GHSA-x5rq-j2xg-h7qm) - CVE-2019-1010266
Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages - CVE-2025-59417
Payload's SQLite adapter Session Fixation vulnerability (GHSA-26rv-h2hf-3fw4) 2 - CVE-2025-4644

Tags:: npm; jsonic

Anything's wrong? Let us know Last updated on July 12, 2024