CVE-2022-22912
Prototype Pollution vulnerability in plist (npm)
What is CVE-2022-22912 About?
This vulnerability is a prototype pollution flaw in Plist, specifically via its `.parse()` function. The impact includes Denial of Service and potentially remote code execution. Exploitation would likely involve crafted input to the `.parse()` function and could be of moderate complexity.
Affected Software
Technical Details
The vulnerability is a classic prototype pollution issue affecting the .parse() method in the Plist library. Prototype pollution occurs when an attacker can inject arbitrary properties into JavaScript's Object.prototype. Since Object.prototype is the base for all JavaScript objects, injecting properties here means these properties will then be present on all plain objects in the application, either directly or via inheritance. In the context of the .parse() method, this implies that specially crafted input data, when parsed, could manipulate object prototypes. This can lead to overwriting critical properties or methods, resulting in application crashes (Denial of Service) or, in more severe cases, altering the application's logic to enable remote code execution if the application later uses the polluted properties in a security-sensitive context.
What is the Impact of CVE-2022-22912?
Successful exploitation may allow attackers to cause a Denial of Service (DoS) by crashing the application, or in severe cases, achieve remote code execution by manipulating object prototypes.
What is the Exploitability of CVE-2022-22912?
Exploitation of this prototype pollution vulnerability typically involves crafting malicious input that, when processed by the Plist.parse() function, can inject properties into Object.prototype. The complexity level can vary from moderate to high, depending on how the application handles parsed data and whether subsequent operations can be leveraged for code execution. No authentication is inherently required, as the attack vector is malformed input supplied to the parsing function. Privilege requirements are also minimal; merely being able to supply input to the parse() function is sufficient. This is generally a remote vulnerability if the input to the parsing function originates from an untrusted source, such as user-supplied data in a web application. Special conditions or constraints include the application actively parsing untrusted PLIST formatted data and the existence of a gadget chain or vulnerable code path that can be leveraged after prototype pollution for a Denial of Service or remote code execution. The risk factors that increase exploitation likelihood include applications that extensively use the Plist library with untrusted input without proper sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-22912?
Available Upgrade Options
- plist
- <3.0.5 → Upgrade to 3.0.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-22912
- https://osv.dev/vulnerability/GHSA-4cpg-3vgw-4877
- https://github.com/TooTallNate/plist.js/issues/114
- https://github.com/TooTallNate/plist.js/pull/118
- https://github.com/TooTallNate/plist.js/issues/114
- https://github.com/TooTallNate/plist.js/commit/96e2303d059e6be0c9e0c4773226d14b4758de52
- https://github.com/TooTallNate/plist.js
What are Similar Vulnerabilities to CVE-2022-22912?
Similar Vulnerabilities: CVE-2020-28285 , CVE-2020-28284 , CVE-2019-10744 , CVE-2021-23420 , CVE-2022-24434
