CVE-2020-8268

HIGH

json8-merge-patch < 1.0.3 - Code Injection

Title source: llm
STIX 2.1

Description

Prototype pollution vulnerability in json8-merge-patch npm package < 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor.

References (1)

Core 1
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/980649

Scores

CVSS v3 7.5
EPSS 0.0128
EPSS Percentile 66.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-20 CWE-471
Status published
Products (2)
json8-merge-patch_project/json8-merge-patch < 1.0.3
npm/json8-merge-patch 0 - 1.0.3npm
Published Nov 09, 2020
Tracked Since Feb 18, 2026