GHSA-ff9j-pwxg-q5p2

Source

https://github.com/advisories/GHSA-ff9j-pwxg-q5p2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-ff9j-pwxg-q5p2/GHSA-ff9j-pwxg-q5p2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-ff9j-pwxg-q5p2

Aliases

CVE-2022-42743

Published

2022-11-04T12:00:25Z

Modified

2023-11-08T04:10:40.191998Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

deep-parse-json vulnerable to Prototype Pollution

Details

deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the __proto__ property to be edited.

Database specific

{
    "nvd_published_at": "2022-11-03T20:15:00Z",
    "cwe_ids": [
        "CWE-1321"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-08T14:49:05Z"
}

References

Affected packages

npm / deep-parse-json

Package

Name: deep-parse-json; View open source insights on deps.dev
Purl: pkg:npm/deep-parse-json

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.0.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-ff9j-pwxg-q5p2/GHSA-ff9j-pwxg-q5p2.json"