Lucene search
GoogleOSV:GHSA-X5R6-X823-9848HistoryMay 10, 2021 - 7:15 p.m.
Arbitrary Code Execution in json-ptr
2021-05-1019:15:43
Google
osv.dev
13
npm
json-ptr
arbitrary code execution
vulnerability
set operation
force flag
prototype pollution
EPSS
0.009
Percentile
82.6%
npm json-ptr before 2.1.0 has an arbitrary code execution vulnerability. The issue occurs in the set operation when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution.
References
github.com/418sec/json-ptr/pull/3
github.com/flitbit/json-ptr/blob/master/src/util.ts%23L174
github.com/flitbit/json-ptr/commit/2539e3494c80af1eef24f0f433654a61f255f011
nvd.nist.gov/vuln/detail/CVE-2020-7766
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038396
snyk.io/vuln/SNYK-JS-JSONPTR-1016939
www.huntr.dev/bounties/2-npm-json-ptr
www.npmjs.com/package/json-ptr
Related
osv
osv
CVE-2020-7766
2020-11-10 16:15:14
CVE-2021-23509
2021-11-03 18:15:08
Prototype Pollution in json-ptr
2021-11-08 17:43:27
cvelist
cvelist
CVE-2020-7766 Prototype Pollution
2020-11-10 15:35:15
CVE-2021-23509 Prototype Pollution
2021-11-03 17:20:36
cve
cve
CVE-2020-7766
2020-11-10 16:15:14
CVE-2021-23509
2021-11-03 18:15:08
github
github
Arbitrary Code Execution in json-ptr
2021-05-10 19:15:43
Prototype Pollution in json-ptr
2021-11-08 17:43:27
nvd
nvd
CVE-2020-7766
2020-11-10 16:15:14
CVE-2021-23509
2021-11-03 18:15:08
prion
prion
Code injection
2020-11-10 16:15:00
Type confusion
2021-11-03 18:15:00
veracode
veracode
Prototype Pollution
2020-11-11 04:36:16
