GHSA-653v-rqx9-j85p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-653v-rqx9-j85p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-653v-rqx9-j85p/GHSA-653v-rqx9-j85p.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-653v-rqx9-j85p
- Aliases
- Published
- 2022-11-04T12:00:25Z
- Modified
- 2023-11-08T04:10:31.925498Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- deep-object-diff vulnerable to Prototype Pollution
- Details
-
deep-object-diff before version 1.1.6 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the
__proto__property to be edited. This issue was fixed in version 1.1.9. - Database specific
{ "github_reviewed_at": "2022-11-08T14:48:51Z", "severity": "MODERATE", "cwe_ids": [ "CWE-1321" ], "github_reviewed": true, "nvd_published_at": "2022-11-03T20:15:00Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-41713
- https://github.com/mattphillips/deep-object-diff/issues/85
- https://github.com/mattphillips/deep-object-diff/issues/85#issuecomment-1312450353
- https://github.com/mattphillips/deep-object-diff/pull/87/commits/55f9c3c70cf0d54cb30291e949fb8682fa3c5d9f
- https://github.com/mattphillips/deep-object-diff/pull/87/commits/9576963b68b955e88610aa4f0c696a1aafc1119d
- https://fluidattacks.com/advisories/heldens
- https://github.com/mattphillips/deep-object-diff
Affected packages
npm / deep-object-diff
Package
- Name
- deep-object-diff
- View open source insights on deps.dev
- Purl
- pkg:npm/deep-object-diff