CVE-2022-42743 — deep-parse-json vulnerable to Prototype Pollution

Description

deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the `__proto__` property to be edited.

How to fix CVE-2022-42743

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2022-42743 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-42743
PATCHgithub.com/sibu-github/deep-parse-json
WEBfluidattacks.com/advisories/buuren
WEBgithub.com/sibu-github/deep-parse-json/issues/6