CVE-2022-41713

MEDIUM

deep-object-diff <1.1.0 - Code Injection

Title source: llm

Description

deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the '__proto__' property to be edited.

References (2)

[Exploit, Third Party Advisory] https://fluidattacks.com/advisories/heldens/

[Product] https://github.com/mattphillips/deep-object-diff

View Writeup ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0014

EPSS Percentile 33.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (2)

deep-object-diff_project/deep-object-diff 1.1.0

npm/deep-object-diff 1.1.6 - 1.1.9npm

Published Nov 03, 2022

Tracked Since Feb 18, 2026