CVE-2022-46175 – json5 <= 1.0.1 and 2.0.0-2.2.1 - Prototype Pollution

https://notcve.org/view.php?id=CVE-2022-46175

23 Dec 2022 — JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood defi... • https://github.com/giz-berlin/quasar-app-webpack-json5-vulnerability • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •