CVE-2022-41713 — deep-object-diff vulnerable to Prototype Pollution

Description

deep-object-diff before version 1.1.6 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited. This issue was fixed in version 1.1.9.

How to fix CVE-2022-41713

To remediate CVE-2022-41713, upgrade the affected package to a fixed version below.

—upgrade to 1.1.9 or later

Is CVE-2022-41713 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.1.6, < 1.1.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-41713
PATCHgithub.com/mattphillips/deep-object-diff
WEBfluidattacks.com/advisories/heldens
WEBgithub.com/mattphillips/deep-object-diff/issues/85
WEB