Description
This affects the package json8 before 1.0.3. The function adds in the target object the property specified in the path, however it does not properly check the key being set, leading to a prototype pollution.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-JSON8-1017116
Patch, Third Party Advisory x_refsource_misc
https://github.com/sonnyp/JSON8/commit/2e890261b66cbc54ae01d0c79c71b0fd18379e7e
Scores
CVSS v3
6.5
EPSS
0.0187
EPSS Percentile
76.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Details
CWE
CWE-1321
Status
published
Products (2)
json8_project/json8
< 1.0.3
npm/json8
0 - 1.0.3npm
Published
Nov 12, 2020
Tracked Since
Feb 18, 2026