CVE-2020-15366
MEDIUMajv < 6.12.3 - Prototype Pollution via Crafted JSON Schema
Title source: llmDescription
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
References (4)
Core 4
Core References
Release Notes, Third Party Advisory
https://github.com/ajv-validator/ajv/releases/tag/v6.12.3
Third Party Advisory
https://github.com/ajv-validator/ajv/tags
Permissions Required
https://hackerone.com/bugs?subject=user&report_id=894259
Vendor Advisory
https://security.netapp.com/advisory/ntap-20240621-0007/
Scores
CVSS v3
5.6
EPSS
0.0231
EPSS Percentile
81.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-1321
Status
published
Products (2)
ajv.js/ajv
6.12.2
npm/ajv
0 - 6.12.3npm
Published
Jul 15, 2020
Tracked Since
Feb 18, 2026