CVE-2022-41713 – deep-object-diff

Package

Manager: npm
Name: deep-object-diff
Vulnerable Version: >=1.1.6 <1.1.9

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00082 pctl0.24824

Details

deep-object-diff vulnerable to Prototype Pollution deep-object-diff before version 1.1.6 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited. This issue was fixed in version 1.1.9.

Metadata

Created: 2022-11-04T12:00:25Z
Modified: 2022-11-16T20:50:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-653v-rqx9-j85p/GHSA-653v-rqx9-j85p.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-653v-rqx9-j85p
Finding: F390
Auto approve: 1