CVE-2022-42743 – deep-parse-json

Package

Manager: npm
Name: deep-parse-json
Vulnerable Version: >=0 <=1.0.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00082 pctl0.24824

Details

deep-parse-json vulnerable to Prototype Pollution deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the `__proto__` property to be edited.

Metadata

Created: 2022-11-04T12:00:25Z
Modified: 2022-11-08T14:49:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-ff9j-pwxg-q5p2/GHSA-ff9j-pwxg-q5p2.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-ff9j-pwxg-q5p2
Finding: F390
Auto approve: 1