Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXY4OGctY2dtdy12NXh3

Moderate EPSS: 0.00331% (0.55552 Percentile) EPSS:
Permalink JSON

Prototype Pollution in Ajv

Affected Packages Affected Versions Fixed Versions
npm:ajv
PURL: pkg:npm/ajv
< 6.12.3 6.12.3
14,548 Dependent packages
1,087,714 Dependent repositories
645,187,585 Downloads last month

Affected Version Ranges

All affected versions

0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.11, 0.3.12, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.4.10, 0.4.12, 0.4.14, 0.4.15, 0.5.0, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8, 0.5.9, 0.5.10, 0.5.11, 0.5.12, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9, 0.6.10, 0.6.11, 0.6.12, 0.6.13, 0.6.14, 0.6.15, 0.7.0, 0.7.1, 0.7.2, 1.0.0, 1.0.1, 1.1.1, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 2.0.0, 2.0.0-beta.0, 2.0.0-beta.1, 2.0.0-beta.2, 2.0.0-beta.3, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.4.0, 2.5.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.3.1, 3.4.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.8.9, 3.8.10, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.2.0, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.5.0, 4.6.0, 4.6.1, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7, 4.8.0, 4.8.1, 4.8.2, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.11.7, 4.11.8, 5.0.0, 5.0.0-beta.0, 5.0.0-beta.1, 5.0.1, 5.0.1-beta.0, 5.0.1-beta.1, 5.0.1-beta.2, 5.0.1-beta.3, 5.0.2-beta.0, 5.0.3-beta.0, 5.0.4-beta.0, 5.0.4-beta.1, 5.0.4-beta.2, 5.0.4-beta.3, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.3.0, 5.4.0, 5.5.0, 5.5.1, 5.5.2, 6.0.0, 6.0.0-beta.0, 6.0.0-beta.1, 6.0.0-beta.2, 6.0.0-rc.0, 6.0.0-rc.1, 6.0.1, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.3.0, 6.4.0, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.7.0, 6.8.0, 6.8.1, 6.9.0, 6.9.1, 6.9.2, 6.10.0, 6.10.1, 6.10.2, 6.11.0, 6.12.0, 6.12.1, 6.12.2

All unaffected versions

6.12.3, 6.12.4, 6.12.5, 6.12.6, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.6.1, 8.6.2, 8.6.3, 8.7.0, 8.7.1, 8.8.0, 8.8.1, 8.8.2, 8.9.0, 8.10.0, 8.11.0, 8.11.1, 8.11.2, 8.12.0, 8.13.0, 8.14.0, 8.15.0, 8.16.0, 8.17.1

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

References:

Identifiers

GHSA-v88g-cgmw-v5xw

CVE-2020-15366

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00331

EPSS Percentile: 0.55552

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/ajv-validator/ajv

Date and time

Published

over 3 years ago

Updated

over 1 year ago

API

JSON