Description
deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited.
Remediation
References
https://fluidattacks.com/advisories/buuren/
https://github.com/sibu-github/deep-parse-json
Related Vulnerabilities
CVE-2018-3748 Vulnerability in npm package glance
CVE-2022-41713 Vulnerability in npm package deep-object-diff
CVE-2022-24718 Vulnerability in npm package @finastra/ssr-pages
CVE-2020-8203 Vulnerability in npm package @sailshq/lodash
CVE-2022-24785 Vulnerability in maven package org.fujion.webjars:moment