Description

deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the '__proto__' property to be edited.

Remediation

References

https://fluidattacks.com/advisories/heldens/

https://github.com/mattphillips/deep-object-diff

Related Vulnerabilities

CVE-2021-23358 Vulnerability in maven package org.webjars.bowergithub.jashkenas:underscore

CVE-2014-0050 Vulnerability in maven package commons-fileupload:commons-fileupload

CVE-2019-10758 Vulnerability in npm package mongo-express

CVE-2023-31419 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2022-21653 Vulnerability in maven package org.typelevel:jawn-parser_3

Severity

Medium

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Tags

Exploit Third Party Advisory Product