Description

deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited.

Remediation

References

https://github.com/sibu-github/deep-parse-json

https://fluidattacks.com/advisories/buuren/

Related Vulnerabilities

CVE-2021-42697 Vulnerability in maven package com.typesafe.akka:akka-http_2.13

CVE-2020-7607 Vulnerability in npm package gulp-styledocco

CVE-2020-23814 Vulnerability in maven package com.xuxueli:xxl-job

CVE-2022-27202 Vulnerability in maven package org.jenkins-ci.plugins:extended-choice-parameter

CVE-2020-28052 Vulnerability in maven package org.bouncycastle:bcprov-jdk15to18

Severity

Medium

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Tags

Product Exploit Third Party Advisory