Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04OTZyLWYyN3ItNTVtd80XPA
json-schema is vulnerable to Prototype Pollution
json-schema before version 0.4.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').
Permalink: https://github.com/advisories/GHSA-896r-f27r-55mwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04OTZyLWYyN3ItNTVtd80XPA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 3 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00215
EPSS Percentile: 0.59058
Identifiers: GHSA-896r-f27r-55mw, CVE-2021-3918
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3918
- https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741
- https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9
- https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a
- https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa
- https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html
- https://github.com/advisories/GHSA-896r-f27r-55mw
Blast Radius: 60.7
Affected Packages
npm:json-schema
Dependent packages: 2,341Dependent repositories: 1,556,405
Downloads: 66,139,904 last month
Affected Version Ranges: < 0.4.0
Fixed in: 0.4.0
All affected versions: 0.2.0, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.3.0
All unaffected versions: 0.4.0