Close Menu
    Subscribe
    Alerts

    CVE-2026-8657 | THREATINT

    adminBy No Comments1 Min Read


    Home

    Description

    Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch() APIs. An attacker can perform prototype pollution by supplying crafted delta or JSON Patch documents, as attacker-controlled property names and path segments are used to traverse and modify objects without restricting access to special properties like __proto__ or constructor.prototype, allowing modification of Object.prototype.

    PUBLISHED Reserved 2026-05-15 | Published 2026-05-16 | Updated 2026-05-16 | Assigner snyk

    HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P

    HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L/E:P

    Problem types

    Prototype Pollution

    Credits

    Yuki Matsuhashi

    References

    security.snyk.io/vuln/SNYK-JS-JSONDIFFPATCH-16322990

    gist.github.com/…tsuhashi/e570fb1579ae1f3190059b622b0473fb

    github.com/…es/jsondiffpatch/src/filters/nested.ts#L82-L87

    github.com/…/jsondiffpatch/src/filters/nested.ts#L107-L115

    github.com/…ch/src/formatters/jsonpatch-apply.ts#L146-L168

    github.com/…ch/src/formatters/jsonpatch-apply.ts#L171-L199

    github.com/…ommit/381c0125efab49f6f0dbc08317d01d55717672af

    cve.org (CVE-2026-8657)

    nvd.nist.gov (CVE-2026-8657)

    Download JSON



    Source link

    Share.

    Related Posts

    Add A Comment

    Comments are closed.