Skip to main content

jsondiffpatch CVE-2026-8657

| EUVDEUVD-2026-30670 HIGH
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-05-16 snyk GHSA-j4fx-xxwh-2485
7.8
CVSS 4.0 · Vendor: snyk
Share

Severity by source

Vendor (snyk) PRIMARY
7.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (snyk) · only source for this CVE.

CVSS VectorVendor: snyk

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
May 16, 2026 - 06:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 16, 2026 - 06:22 vuln.today
cvss_changed
CVSS changed
May 16, 2026 - 06:22 NVD
8.2 (HIGH) 7.8 (HIGH)
Patch available
May 16, 2026 - 06:01 EUVD
Source Code Evidence Fetched
May 16, 2026 - 05:42 vuln.today
Analysis Generated
May 16, 2026 - 05:42 vuln.today

DescriptionCVE.org

Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch() APIs. An attacker can perform prototype pollution by supplying crafted delta or JSON Patch documents, as attacker-controlled property names and path segments are used to traverse and modify objects without restricting access to special properties like __proto__ or constructor.prototype, allowing modification of Object.prototype.

AnalysisAI

Prototype pollution in the jsondiffpatch JavaScript library before 0.7.6 allows attackers to modify Object.prototype by supplying crafted delta documents to jsondiffpatch.patch() or JSON Patch documents to the jsonpatch formatter's patch() API. Because attacker-controlled key names and JSON Pointer path segments were used to traverse and mutate objects without filtering __proto__, constructor, or prototype, any application that feeds untrusted diffs into the library can have global object behavior tampered with. A public POC exists in the Snyk advisory and an accompanying gist, but there is no public exploit identified at time of analysis (not on CISA KEV).

Technical ContextAI

jsondiffpatch is a widely used Node.js/browser library (npm package 'jsondiffpatch') for computing and applying JSON deltas, including an RFC 6902 JSON Patch formatter. The vulnerability is CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes, 'Prototype Pollution'). Two code paths are at fault: packages/jsondiffpatch/src/filters/nested.ts, where the patch/reverse filters iterated delta keys and indexed into context.left[name] without rejecting __proto__ or restricting traversal to own properties (so a delta key chain like constructor.prototype walked through the inherited constructor into Object.prototype); and packages/jsondiffpatch/src/formatters/jsonpatch-apply.ts, where parsePathFromRFC6902 split a JSON Pointer string into segments that were used unchecked as property accessors. The fix introduces an UNSAFE_KEYS set ({__proto__, constructor, prototype} for JSON Patch paths, {__proto__} for delta filters combined with hasOwnProperty guards on left) so unsafe segments are skipped or rejected. The single affected CPE is cpe:2.3:a:n/a:jsondiffpatch:*:*:*:*:*:*:*:* covering versions 0 < 0.7.6.

RemediationAI

Upgrade the jsondiffpatch dependency to 0.7.6 or later (vendor-released patch: 0.7.6), which adds an UNSAFE_KEYS filter and an own-property guard in packages/jsondiffpatch/src/filters/nested.ts and rejects __proto__, constructor, and prototype segments in packages/jsondiffpatch/src/formatters/jsonpatch-apply.ts (see https://github.com/benjamine/jsondiffpatch/commit/381c0125efab49f6f0dbc08317d01d55717672af and https://security.snyk.io/vuln/SNYK-JS-JSONDIFFPATCH-16322990). If immediate upgrade is not possible, do not pass untrusted delta or JSON Patch documents into jsondiffpatch.patch() or jsondiffpatch/formatters/jsonpatch.patch(); pre-validate inputs by recursively rejecting any object key or JSON Pointer segment equal to __proto__, constructor, or prototype before applying, accepting that this validation must mirror the library's traversal exactly or risk bypass. As broader hardening, run Node with --disable-proto=delete (which removes the __proto__ accessor entirely and may break libraries that rely on it) or freeze Object.prototype at process startup with Object.freeze(Object.prototype) (which can break code that intentionally augments built-in prototypes); both are application-wide changes and should be tested before rollout.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

Share

CVE-2026-8657 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy