GHSA-x5r6-x823-9848
Suggest an improvement- Source
- https://github.com/advisories/GHSA-x5r6-x823-9848
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-x5r6-x823-9848/GHSA-x5r6-x823-9848.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-x5r6-x823-9848
- Aliases
-
- CVE-2020-7766
- Published
- 2021-05-10T19:15:43Z
- Modified
- 2025-01-14T08:57:19.814698Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- Arbitrary Code Execution in json-ptr
- Details
-
npm
json-ptrbefore 2.1.0 has an arbitrary code execution vulnerability. The issue occurs in the set operation when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution. - Database specific
{ "cwe_ids": [ "CWE-1321", "CWE-400", "CWE-74" ], "github_reviewed": true, "github_reviewed_at": "2021-04-19T23:01:34Z", "nvd_published_at": "2020-11-10T16:15:00Z", "severity": "HIGH" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-7766
- https://github.com/418sec/json-ptr/pull/3
- https://github.com/flitbit/json-ptr/commit/2539e3494c80af1eef24f0f433654a61f255f011
- https://github.com/flitbit/json-ptr/blob/master/src/util.ts%23L174
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038396
- https://snyk.io/vuln/SNYK-JS-JSONPTR-1016939
- https://www.huntr.dev/bounties/2-npm-json-ptr
- https://www.npmjs.com/package/json-ptr
Affected packages
npm / json-ptr
Package
- Name
- json-ptr
- View open source insights on deps.dev
- Purl
- pkg:npm/json-ptr