Description
The parse method of the JSON5 library before and including version 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object.
This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution.
Recommendation
Update the json5 package to the latest compatible version. Followings are version details:
Affected version(s): **< 1.0.2 >= 2.0.0, < 2.2.2** Patched version(s): **1.0.2 2.2.2**
References
- GHSA-9c47-m6qq-7p4h
- lists.debian.org
- lists.fedoraproject.org
- CVE-2022-46175
- CWE-1321
- CAPEC-310
- OWASP 2021-A6
Related Issues
- counterpart vulnerable to prototype pollution - CVE-2025-57354
- Parse Server has an OAuth login vulnerability - CVE-2025-30168
- Use of Insufficiently Random Values in undici - CVE-2025-22150
- SummerNote Cross Site Scripting Vulnerability - CVE-2024-37629
- Tags:
- npm
- json5
Anything's wrong? Let us know Last updated on February 22, 2024