Source: node-json5 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for node-json5. CVE-2022-46175[0]: | JSON5 is an extension to the popular JSON file format that aims to be | easier to write and maintain by hand (e.g. for config files). The | `parse` method of the JSON5 library before and including version | `2.2.1` does not restrict parsing of keys named `__proto__`, allowing | specially crafted strings to pollute the prototype of the resulting | object. This vulnerability pollutes the prototype of the object | returned by `JSON5.parse` and not the global Object prototype, which | is the commonly understood definition of Prototype Pollution. However, | polluting the prototype of a single object can have significant | security impact for an application if the object is later used in | trusted operations. This vulnerability could allow an attacker to set | arbitrary and unexpected keys on the object returned from | `JSON5.parse`. The actual impact will depend on how applications | utilize the returned object and how they filter unwanted keys, but | could include denial of service, cross-site scripting, elevation of | privilege, and in extreme cases, remote code execution. `JSON5.parse` | should restrict parsing of `__proto__` keys when parsing JSON strings | to objects. As a point of reference, the `JSON.parse` method included | in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` | to `JSON.parse` in the examples above mitigates this vulnerability. | This vulnerability is patched in json5 version 2.2.2 and later. https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h https://github.com/json5/json5/issues/199 https://github.com/json5/json5/issues/295 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-46175 https://www.cve.org/CVERecord?id=CVE-2022-46175 Please adjust the affected versions in the BTS as needed. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
