rjrodger
commented
3 months ago @tariqhawis you have not sent me details.
And specifically, please provide a reproduction using the documented API of the utility - ie Jsonic(...) Reporting "security" issues in internal utility functions is not helpful, btw. https://x.com/matteocollina/status/1791137534996586808
/cc @wzrdtales
Overview
A Prototype Pollution vulnerability Affecting @jsonic/jsonic-next, due to missing check if the argument resolves to the object prototype. This allow the attacker to inject malicious object property using the built-in Object property
__proto__which recursively assigned to all the objects in the program.Details sent directly to the maintainer