CVE-2022-46175Prototype Pollution in Json5

CWE-1321Prototype Pollution8 documents7 sources
Severity
8.8HIGHNVD
EPSS
46.5%
top 2.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Json5Debian Node-json5Fedoraproject Fedora+4 more
Timeline
PublishedDec 24
Latest updateApr 30

Description

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly und

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages8 packages

CVEListV5json5/json5< 2.2.2
NVDjson5/json52.0.02.2.2+1
npmjson5/json52.0.02.2.2+1
debiandebian/node-json5< node-json5 2.2.3+dfsg-1 (bookworm)

Also affects: Fedora 37

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Prototype Pollution in JSON5 via Parse Method2022-12-29
GHSA
Prototype Pollution in JSON5 via Parse Method2022-12-29
OSV
CVE-2022-46175: JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e2022-12-24

📋Vendor Advisories

4
Ubuntu
JSON5 vulnerability2024-04-30
Red Hat
json5: Prototype Pollution in JSON5 via Parse Method2022-12-24
Microsoft
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including version2022-12-13
Debian
CVE-2022-46175: node-json5 - JSON5 is an extension to the popular JSON file format that aims to be easier to ...2022