[Pkg-javascript-devel] Bug#1027145: node-json5: CVE-2022-46175
Moritz Mühlenhoff
jmm at inutil.org
Wed Dec 28 16:35:36 GMT 2022
Source: node-json5
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-json5.
CVE-2022-46175[0]:
| JSON5 is an extension to the popular JSON file format that aims to be
| easier to write and maintain by hand (e.g. for config files). The
| `parse` method of the JSON5 library before and including version
| `2.2.1` does not restrict parsing of keys named `__proto__`, allowing
| specially crafted strings to pollute the prototype of the resulting
| object. This vulnerability pollutes the prototype of the object
| returned by `JSON5.parse` and not the global Object prototype, which
| is the commonly understood definition of Prototype Pollution. However,
| polluting the prototype of a single object can have significant
| security impact for an application if the object is later used in
| trusted operations. This vulnerability could allow an attacker to set
| arbitrary and unexpected keys on the object returned from
| `JSON5.parse`. The actual impact will depend on how applications
| utilize the returned object and how they filter unwanted keys, but
| could include denial of service, cross-site scripting, elevation of
| privilege, and in extreme cases, remote code execution. `JSON5.parse`
| should restrict parsing of `__proto__` keys when parsing JSON strings
| to objects. As a point of reference, the `JSON.parse` method included
| in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse`
| to `JSON.parse` in the examples above mitigates this vulnerability.
| This vulnerability is patched in json5 version 2.2.2 and later.
https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h
https://github.com/json5/json5/issues/199
https://github.com/json5/json5/issues/295
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-46175
https://www.cve.org/CVERecord?id=CVE-2022-46175
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-javascript-devel
mailing list