CVE-2022-41713
Prototype Pollution vulnerability in deep-object-diff (npm)
What is CVE-2022-41713 About?
This vulnerability in `deep-object-diff` before version 1.1.6 allows an external attacker to edit or add new properties to an object through prototype pollution. This is possible due to improper validation of incoming JSON keys, specifically allowing modification of the `__proto__` property. The impact is arbitrary code execution or denial of service.
Affected Software
Technical Details
The deep-object-diff library is vulnerable to prototype pollution. The root cause is the lack of proper validation of incoming JSON keys when processing differences between objects. An attacker can submit input where a key is named __proto__. When this key is processed, its value is assigned to the __proto__ property of base JavaScript objects. This allows attackers to inject or modify properties on the global Object.prototype, which are then inherited by all JavaScript objects in the application. This can lead to arbitrary property injection, data tampering, or, in some contexts, arbitrary code execution or denial of service as it affects all objects.
What is the Impact of CVE-2022-41713?
Successful exploitation may allow attackers to inject arbitrary properties into object prototypes, potentially leading to unauthorized data modification, execution of arbitrary code, or denial of service.
What is the Exploitability of CVE-2022-41713?
Exploitation involves an attacker sending specially crafted JSON data as input, which includes the __proto__ key to modify Object.prototype. The complexity is moderate, requiring an understanding of JavaScript prototype chains and how to craft a suitable pollution payload. No authentication or specific privileges are typically required if the application processes external, untrusted JSON input using the vulnerable library. This is a remote exploitation vector as long as the malicious input can reach the deep-object-diff processing. The primary risk factor is any application that takes user-controlled JSON input and uses the affected library to merge or diff objects without sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-41713?
Available Upgrade Options
- deep-object-diff
- >1.1.6, <1.1.9 → Upgrade to 1.1.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://fluidattacks.com/advisories/heldens
- https://github.com/mattphillips/deep-object-diff/issues/85
- https://github.com/mattphillips/deep-object-diff
- https://nvd.nist.gov/vuln/detail/CVE-2022-41713
- https://github.com/mattphillips/deep-object-diff/pull/87/commits/9576963b68b955e88610aa4f0c696a1aafc1119d
- https://fluidattacks.com/advisories/heldens/
- https://github.com/mattphillips/deep-object-diff/issues/85#issuecomment-1312450353
- https://github.com/mattphillips/deep-object-diff
- https://github.com/mattphillips/deep-object-diff/pull/87/commits/55f9c3c70cf0d54cb30291e949fb8682fa3c5d9f
- https://osv.dev/vulnerability/GHSA-653v-rqx9-j85p
What are Similar Vulnerabilities to CVE-2022-41713?
Similar Vulnerabilities: CVE-2023-29496 , CVE-2022-42969 , CVE-2022-37706 , CVE-2022-32149 , CVE-2022-23594
