Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable prototype pollution requiring low privileges; scope unchanged as direct impact is limited to vulnerable system with L/L/L impact.
Primary rating from Vendor (vuldb).
CVSS VectorVendor: vuldb
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in apidevtools json-schema-ref-parser up to 15.3.5. This impacts the function Refs.set/Pointer.set in the library lib/pointer.ts. Executing a manipulation can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. Upgrading to version 15.3.6 will fix this issue. This patch is called a786bc6afc3674f650496472ee93d5cf74c4bd84. It is suggested to upgrade the affected component.
AnalysisAI
Prototype pollution in apidevtools json-schema-ref-parser up to v15.3.5 allows low-privileged remote attackers to modify Object prototype attributes via crafted input to the Refs.set/Pointer.set functions in lib/pointer.ts. The vulnerability is tagged RCE and Code Injection, reflecting the theoretical worst-case of prototype pollution in Node.js environments where polluted properties propagate to dangerous sinks; however, the CVSS 4.0 score of 2.1 with limited (L/L/L) impact ratings suggests the direct, exploitable impact is constrained. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The application must pass attacker-influenced or externally-sourced JSON Schema or OpenAPI documents to json-schema-ref-parser for $ref resolution - this is the specific triggering condition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 2.1 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L) reflects constrained direct impact: exploitation requires low privileges, and the vulnerable system's confidentiality, integrity, and availability impacts are all rated Low with no subsequent-system impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with low-level access to an application (e.g., a registered API user) submits a crafted JSON Schema document containing a $ref pointer path targeting __proto__ or constructor.prototype. When the application passes this schema to json-schema-ref-parser for dereferencing, the Pointer.set function writes the attacker-controlled value onto the global Object prototype. … |
| Remediation | Upgrade json-schema-ref-parser to version 15.3.6 or later, which incorporates the fix at commit a786bc6afc3674f650496472ee93d5cf74c4bd84. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42651
GHSA-hghm-9vcp-cxvv