Description
The parse method of the JSON5 library before and including version 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object.
This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution.
Recommendation
Update the json5 package to the latest compatible version. Followings are version details:
Affected version(s): **< 1.0.2 >= 2.0.0, < 2.2.2** Patched version(s): **1.0.2 2.2.2**
References
- GHSA-9c47-m6qq-7p4h
- lists.debian.org
- lists.fedoraproject.org
- CVE-2022-46175
- CWE-1321
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks - CVE-2022-41879
- Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers - CVE-2022-41878
- Remote code execution via MongoDB BSON parser through prototype pollution - CVE-2022-39396
- Command injection in Parse Server through prototype pollution - CVE-2022-24760
- Tags:
- npm
- json5
Anything's wrong? Let us know Last updated on February 22, 2024