json5 is vulnerable to prototype pollution. The vulnerability exists in the internalize
function in parse.js
due to not restricting keys named __proto__
which allows an attacker to inject specially crafted strings to pollute the prototype of the resulting object.
github.com/json5/json5/commit/7774c1097993bc3ce9f0ac4b722a32bf7d6871c8
github.com/json5/json5/issues/199
github.com/json5/json5/issues/295
github.com/json5/json5/pull/296
github.com/json5/json5/pull/298
github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h
lists.debian.org/debian-lts-announce/2023/11/msg00021.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE/
lists.fedoraproject.org/archives/list/[email protected]/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE/