CVE-2022-46175

json5 <= 1.0.1 and 2.0.0-2.2.1 - Prototype Pollution

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

JSON5 es una extensión del popular formato de archivo JSON que pretende ser más fácil de escribir y mantener a mano (por ejemplo, para archivos de configuración). El método `parse` de la librería JSON5 anterior a las versiones 1.0.1 y 2.2.1 incluida no restringe el análisis de claves denominadas `__proto__`, lo que permite que cadenas especialmente manipuladas contaminen el prototipo del objeto resultante. Esta vulnerabilidad contamina el prototipo del objeto devuelto por `JSON5.parse` y no el prototipo de objeto global, que es la definición comúnmente entendida de contaminación de prototipo. Sin embargo, contaminar el prototipo de un único objeto puede tener un impacto significativo en la seguridad de una aplicación si el objeto se utiliza posteriormente en operaciones confiables. Esta vulnerabilidad podría permitir a un atacante establecer claves arbitrarias e inesperadas en el objeto devuelto por `JSON5.parse`. El impacto real dependerá de cómo las aplicaciones utilicen el objeto devuelto y de cómo filtren las claves no deseadas, pero podría incluir Denegación de Servicio (DoS), Cross-Site Scripting (XSS), elevación de privilegios y, en casos extremos, ejecución remota de código. `JSON5.parse` debería restringir el análisis de claves `__proto__` al analizar cadenas JSON en objetos. Como punto de referencia, el método `JSON.parse` incluido en JavaScript ignora las claves `__proto__`. Simplemente cambiar `JSON5.parse` por `JSON.parse` en los ejemplos anteriores mitiga esta vulnerabilidad. Esta vulnerabilidad está parcheada en las versiones 1.0.2, 2.2.2 y posteriores de json5.

A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.

The package json5 before 1.0.2 and between 2.0.0 and 2.2.1 inclusive is vulnerable to prototype pollution due to failure to restrict parsing of keys named `__proto__`. As this package is used in some WordPress plugins, this could result in the impacted plugins being vulnerable.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-11-28 CVE Reserved
2022-12-23 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-08-14 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CAPEC

References (8)

URL	Tag	Source
https://github.com/json5/json5/issues/295	Issue Tracking
https://lists.debian.org/debian-lts-announce/2023/11/msg00021.html	Mailing List

URL	Date	SRC
https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h	2024-08-03

URL	Date	SRC
https://github.com/json5/json5/issues/199	2023-11-26
https://github.com/json5/json5/pull/298	2023-11-26

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE	2023-11-26
https://access.redhat.com/security/cve/CVE-2022-46175	2024-07-18
https://bugzilla.redhat.com/show_bug.cgi?id=2156263	2024-07-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Json5 Search vendor "Json5"		Json5 Search vendor "Json5" for product "Json5"				< 1.0.2 Search vendor "Json5" for product "Json5" and version " < 1.0.2"		node.js		Affected
Json5 Search vendor "Json5"		Json5 Search vendor "Json5" for product "Json5"				>= 2.0.0 < 2.2.2 Search vendor "Json5" for product "Json5" and version " >= 2.0.0 < 2.2.2"		node.js		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected