Plattform
nodejs
Komponente
json5
Behoben in
2.2.3
2.2.2
CVE-2022-46175 describes a prototype pollution vulnerability found in the json5 library. This flaw allows attackers to manipulate the prototype of objects created during JSON5 parsing, potentially leading to unexpected behavior and security compromises within applications that rely on the parsed data. The vulnerability affects versions prior to 2.2.2 and has been resolved in version 2.2.2.
The core of this vulnerability lies in the parse method's failure to restrict parsing of keys named proto. By crafting malicious JSON5 strings containing this key, an attacker can inject properties into the prototype of the resulting object. While this pollution doesn't directly affect the global Object.prototype (a common misconception), it can still have significant security implications. If the parsed object is subsequently used in trusted operations or passed to other functions that rely on prototype inheritance, the injected properties can be inherited, leading to unexpected behavior, data corruption, or even remote code execution depending on the application's logic. This is analogous to other prototype pollution vulnerabilities, but the localized impact on a single object can be overlooked, making it a subtle but dangerous threat.
CVE-2022-46175 is not currently listed on KEV or EPSS, suggesting a low to medium probability of active exploitation. Public proof-of-concept (POC) code is available, demonstrating the vulnerability's feasibility. The vulnerability was published on December 29, 2022, and while no widespread exploitation campaigns have been publicly reported, the ease of exploitation and the potential for subtle impact make it a persistent risk. Refer to the NVD entry for further details.
Exploit-Status
EPSS
46.50% (98% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2022-46175 is to upgrade to version 2.2.2 or later of the json5 library. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation to sanitize JSON5 strings before parsing. Specifically, filter out or reject any input containing the proto key. Web application firewalls (WAFs) can be configured to detect and block requests containing malicious JSON5 payloads. While a direct detection signature is difficult to create, monitoring for unusual object properties appearing during runtime can provide an early warning sign. After upgrading, confirm the fix by attempting to parse a JSON5 string containing the proto key and verifying that the prototype is not polluted.
Actualice la biblioteca JSON5 a la versión 1.0.2, 2.2.2 o posterior. Esto corrige la vulnerabilidad de la contaminación del prototipo al restringir el análisis de claves `__proto__`. Alternativamente, si es posible, reemplace `JSON5.parse` con `JSON.parse`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2022-46175 is a HIGH severity prototype pollution vulnerability in the JSON5 library affecting versions before 2.2.2. It allows attackers to manipulate object prototypes through crafted JSON5 strings, potentially impacting application behavior.
If you are using JSON5 versions prior to 2.2.2 in your application, you are potentially affected by this vulnerability. Assess your dependencies and upgrade as soon as possible.
The recommended fix is to upgrade to version 2.2.2 or later of the JSON5 library. If immediate upgrade is not possible, implement input validation to filter out proto keys.
While no widespread exploitation campaigns have been publicly reported, the vulnerability is relatively easy to exploit and poses a persistent risk. Monitor your systems and implement mitigations proactively.
Refer to the JSON5 project's GitHub repository and the associated security advisory for detailed information and updates: https://github.com/jaybalzer/json5/security/advisories/GHSA-5g9w-943x-395r
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.