Json Schema Library
Monthly
Prototype pollution in sagold json-schema-library 11.5.0 and 11.5.1 allows remote low-privileged attackers to corrupt the JavaScript Object prototype by supplying crafted schema definitions or input data containing reserved keys such as `__proto__` processed by the `parsePropertyDependencies` function. The CVSS 4.0 vector confirms low-privilege network exploitation with limited but real confidentiality, integrity, and availability impact; the E:P supplemental metric confirms proof-of-concept code exists. No CISA KEV listing is present, so confirmed mass exploitation is not established at time of analysis.
Prototype pollution in sagold json-schema-library 11.5.0 and 11.5.1 allows remote low-privileged attackers to corrupt the JavaScript Object prototype by supplying crafted schema definitions or input data containing reserved keys such as `__proto__` processed by the `parsePropertyDependencies` function. The CVSS 4.0 vector confirms low-privilege network exploitation with limited but real confidentiality, integrity, and availability impact; the E:P supplemental metric confirms proof-of-concept code exists. No CISA KEV listing is present, so confirmed mass exploitation is not established at time of analysis.