deep-parse-json vulnerable to Prototype Pollution
Moderate severity
GitHub Reviewed
Published
Nov 4, 2022
to the GitHub Advisory Database
•
Updated Jan 29, 2023
Description
Published by the National Vulnerability Database
Nov 3, 2022
Published to the GitHub Advisory Database
Nov 4, 2022
Reviewed
Nov 8, 2022
Last updated
Jan 29, 2023
deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the
__proto__
property to be edited.References