CVE-2022-46175
Prototype Pollution vulnerability in json5 (npm)

Prototype Pollution Proof of concept Fixable By Resolved Security

What is CVE-2022-46175 About?

This vulnerability is a prototype pollution flaw in the `JSON5` library's `parse` method prior to version 2.2.2. It allows specially crafted JSON5 strings to inject arbitrary properties onto the prototype of the parsed object. The impact can range from denial of service to remote code execution, and exploitation is demonstrated through simple JSON5 input.

Affected Software

  • json5
    • >2.0.0, <2.2.2
    • <1.0.2

Technical Details

The vulnerability resides in the parse method of the JSON5 library, specifically in versions before 2.2.2 (and fixed in 1.0.2 for v1.x). The parser does not adequately restrict the parsing of keys named __proto__. An attacker can embed "__proto__" as a key in a JSON5 string, along with an object value (e.g., "__proto__": {"isAdmin": true}). When JSON5.parse() processes this input, it will inject isAdmin: true directly onto the prototype of the returned object rather than as a direct property, bypassing standard security checks that inspect an object's own properties. This can lead to unexpected property modifications, logic bypasses, and in specific contexts, could enable denial of service, cross-site scripting, or even remote code execution.

What is the Impact of CVE-2022-46175?

Successful exploitation may allow attackers to set arbitrary and unexpected keys on parsed objects, potentially leading to security control bypasses, information disclosure, denial of service, or, in extreme cases, remote code execution.

What is the Exploitability of CVE-2022-46175?

Exploitation is of low complexity. The primary prerequisite is that an application uses a vulnerable version of the JSON5 library and processes user-controlled input via JSON5.parse(). No specific authentication is required if the malicious input originates from an unauthenticated source that feeds into JSON5.parse(). Privilege requirements are low, as the attack targets the application's object modeling. This can be a remote vulnerability if the application exposes an endpoint that parses JSON5 input. The special condition is the application's reliance on the structure of objects parsed by JSON5 for security decisions. The likelihood of exploitation is high given the ease of crafting the malicious input and the common practice of parsing external data.

What are the Known Public Exploits?

PoC Author Link Commentary
giz-berlin Link Reproduction for CVE-2022-46175

What are the Available Fixes for CVE-2022-46175?

A Fix by Resolved Security Exists!
Learn how our approach backports security patches directly to your dependencies.

About the Fix from Resolved Security

The patch ensures that parsed properties, including special ones like "proto", are defined directly on objects using Object.defineProperty, preventing prototype pollution by not allowing "proto" assignments to alter the object's actual prototype. This directly addresses CVE-2022-46175, which was caused by unsafe property assignment from user input, allowing attackers to manipulate object prototypes and potentially execute arbitrary code or alter program logic.

Available Upgrade Options

  • json5
    • <1.0.2 → Upgrade to 1.0.2
  • json5
    • >2.0.0, <2.2.2 → Upgrade to 2.2.2

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2022-46175?

Similar Vulnerabilities: CVE-2020-28282 , CVE-2020-7699 , CVE-2019-10744 , CVE-2020-11022 , CVE-2021-23424

All Rights reserved 2025
Privacy Policy