JSON5, a popular npm library that got by >65M downloads/week, ranks in the top 0.1% of the most depended-upon packages on npm, is affected by a high severity security vulnerability that could allow attackers to execute arbitrary code of affected services using the library and their respective user base.
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). It is not intended to be used for machine-to-machine communication.
The vulnerability, assigned as CVE-2022-46175 (CVSS score: 7.1), potentially affects a large number of frontend projects due to the popularity of JSON5 which is being downloaded at a rate of more than 65M downloads per week.
Jdgregson, a developer recently published details and a proof-of-concept exploit of a high-severity prototype pollution security vulnerability that affects the JSON5 version prior to 2.2.2. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit the CVE-2022-46175 flaw to execute arbitrary code or cause a denial of service condition on the system.
Prototype pollution is a JavaScript vulnerability that enables an attacker to add arbitrary properties to global object prototypes, which may then be inherited by user-defined objects[1]. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.
“This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations,” JSON5 developer jordanbtucker wrote on the advisories.
