CVE-2022-46175

Name of the Vulnerable Software and Affected Versions json5 versions 1.0.1 and earlier json5 versions 2.2.1 and earlier

Description The parse method of the json5 library does not restrict parsing of keys named proto, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.

Recommendations For json5 versions 1.0.1 and earlier, upgrade to version 1.0.2 or later. For json5 versions 2.2.1 and earlier, upgrade to version 2.2.2 or later. As a temporary workaround, consider using the JSON.parse method instead of JSON5.parse to mitigate this vulnerability. Restrict access to the parse method of the json5 library to minimize the risk of exploitation. Avoid using the proto key in the affected API endpoint until the issue is resolved.