CVE-2022-46175
Published: 24 December 2022
Summary
CVE-2022-46175 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Json5 Json5. Its CVSS base score is 7.1 (High).
Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is a prototype pollution issue (CWE-1321) in the JSON5 library's `parse` method, affecting all versions up to and including 1.0.1 and 2.2.1. Unlike the standard JSON.parse, JSON5.parse accepts `__proto__` keys in attacker-supplied input and applies them to the prototype of the returned object rather than the global Object prototype. This allows specially crafted JSON5 strings to inject arbitrary properties onto that object.
An attacker with the ability to supply input to JSON5.parse (network-reachable in many configurations, though requiring low privileges and high attack complexity per the CVSS 7.1 score) can set unexpected keys on the resulting object. Depending on how the application subsequently uses or trusts that object without proper filtering, the attacker may achieve denial of service, cross-site scripting, privilege escalation, or remote code execution.
The official GitHub Security Advisory and subsequent patches state that the issue is fixed in json5 1.0.2 and 2.2.2. Recommended mitigations include upgrading to a patched release or replacing calls to JSON5.parse with the built-in JSON.parse, which safely ignores `__proto__` keys. Debian and other distributors have issued corresponding updates.
EPSS scores have remained in the 0.42–0.46 range since disclosure with no pronounced upward trajectory.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-7580
Vulnerability details
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does…
more
not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.