Description

deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited.

Remediation

References

https://fluidattacks.com/advisories/buuren/

https://github.com/sibu-github/deep-parse-json

Related Vulnerabilities

CVE-2022-48216 Vulnerability in npm package @uniswap/universal-router

CVE-2023-29519 Vulnerability in maven package org.xwiki.platform:xwiki-platform-attachment-ui

CVE-2020-11022 Vulnerability in maven package org.webjars.npm:jquery

CVE-2022-45399 Vulnerability in maven package org.zeroturnaround:cluster-stats

CVE-2022-23458 Vulnerability in maven package org.webjars.npm:tui-grid

Severity

Medium

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Tags

Exploit Third Party Advisory Product