Critical severityNVD Advisory· Published Nov 13, 2021· Updated Jan 17, 2025
Prototype Pollution in kriszyp/json-schema
CVE-2021-3918
Description
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A prototype pollution vulnerability in json-schema allows attackers to pollute Object.prototype via crafted schema definitions.
Vulnerability
According to the NVD entry [1], json-schema is vulnerable to prototype pollution. The validate function iterates over properties of objTypeDef without filtering out __proto__ or constructor. This allows a malicious schema to define a __proto__ property with a default value, which will be assigned to the instance's prototype during validation. Affected are all versions prior to commit 22f1461 [2].
Exploitation
An attacker can supply a crafted JSON schema that includes a __proto__ property with a default value. When the validate function processes an instance object, it sets the default value on the instance's __proto__, thereby polluting Object.prototype. No authentication or special privileges are required; the attacker only needs to provide the malicious schema to an application that uses json-schema for validation.
Impact
Successful exploitation results in prototype pollution, allowing the attacker to inject arbitrary properties into Object.prototype. This can lead to property injection, denial of service, or other security issues depending on how the application uses the polluted properties. The impact is limited to the scope of the application's use of the polluted prototype.
Mitigation
The vulnerability is fixed in commit 22f1461 [2], which adds a check i != '__proto__'. A subsequent commit f6f6a3b [4] also filters constructor and uses hasOwnProperty for safer property access. Users should update to a version that includes these fixes. The repository is considered finished and does not implement the latest JSON Schema specifications [3]; users may consider migrating to a maintained implementation.
References
- NVD - CVE-2021-3918
- Don't allow __proto__ property to be used for schema default/coerce, … · kriszyp/json-schema@22f1461
- GitHub - kriszyp/json-schema: JSON Schema specifications, reference schemas, and a CommonJS implementation
- Use a little more robust method of checking instances · kriszyp/json-schema@f6f6a3b
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
json-schemanpm | < 0.4.0 | 0.4.0 |
Affected products
182- ghsa-coords181 versionspkg:npm/json-schemapkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/npmpkg:rpm/opensuse/bind&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/dracut-saltboot&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/dracut-saltboot&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/golang-github-lusitaniae-apache_exporter&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/grafana&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/grafana&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/nodejs10&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/nodejs10&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/prometheus-postgres_exporter&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/spacecmd&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/spacecmd&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/wire&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/wire&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/ansible&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/bind&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/bind&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%20Beta%20for%20SLE%20Micro%205pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205pkg:rpm/suse/golang-github-boynux-squid_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-boynux-squid_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Proxy%20Module%204.3pkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Server%20Module%204.3pkg:rpm/suse/golang-github-prometheus-alertmanager&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/golang-github-prometheus-alertmanager&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/golang-github-prometheus-promu&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Client%20Tools%20Beta%20for%20SLE%20Micro%205pkg:rpm/suse/grafana&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/grafana&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/kiwi-desc-saltboot&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/mgr-daemon&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-daemon&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/mgr-push&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/mgr-push&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/nodejs10&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/nodejs10&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/nodejs10&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/nodejs10&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/nodejs10&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/nodejs12&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP3pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/nodejs12&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/nodejs12&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/nodejs12&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/nodejs14&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP3pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/nodejs14&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/nodejs14&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/nodejs14&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/nodejs8&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/nodejs8&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/nodejs8&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/nodejs8&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/nodejs8&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/nodejs-common&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/nodejs-common&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/nodejs-common&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/nodejs-common&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/nodejs-common&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/nodejs-common&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/nodejs-common&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/nodejs-common&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/nodejs-common&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/nodejs-common&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/nodejs-common&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/nodejs-common&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/nodejs-common&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/nodejs-common&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/nodejs-common&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/nodejs-common&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/nodejs-common&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/nodejs-common&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/nodejs-common&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Client%20Tools%20Beta%20for%20SLE%20Micro%205pkg:rpm/suse/prometheus-postgres_exporter&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/prometheus-postgres_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/prometheus-postgres_exporter&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/prometheus-postgres_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/python-hwdata&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/python-hwdata&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/python-pyvmomi&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/supportutils-plugin-susemanager-client&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/supportutils-plugin-susemanager-client&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/system-user-grafana&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/system-user-prometheus&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/uyuni-proxy-systemd-services&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/uyuni-proxy-systemd-services&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/uyuni-proxy-systemd-services&distro=SUSE%20Manager%20Client%20Tools%20Beta%20for%20SLE%20Micro%205pkg:rpm/suse/uyuni-proxy-systemd-services&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205pkg:rpm/suse/zypp-plugin-spacewalk&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/zypp-plugin-spacewalk&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/zypp-plugin-spacewalk&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/zypp-plugin-spacewalk&distro=SUSE%20Manager%20Proxy%20Module%204.3
< 0.4.0+ 180 more
- (no CPE)range: < 0.4.0
- (no CPE)range: < 1:16.13.1-3.module_el8.5.0+2605+45d748af
- (no CPE)range: < 1:16.13.1-3.module_el8.5.0+2605+45d748af
- (no CPE)range: < 1:16.13.1-3.module_el8.5.0+2605+45d748af
- (no CPE)range: < 1:16.13.1-3.module_el8.5.0+2605+45d748af
- (no CPE)range: < 2.0.15-1.module_el8.6.0+2904+f21ad6f4
- (no CPE)range: < 25-1.module_el8.5.0+246+05401605
- (no CPE)range: < 1:8.1.2-1.16.13.1.3.module_el8.5.0+2605+45d748af
- (no CPE)range: < 9.16.6-150000.12.65.1
- (no CPE)range: < 0.1.1681904360.84ef141-150000.1.50.1
- (no CPE)range: < 0.1.1681904360.84ef141-150000.1.50.1
- (no CPE)range: < 1.0.0-150000.1.20.1
- (no CPE)range: < 9.5.1-150200.3.41.3
- (no CPE)range: < 9.5.8-150200.3.53.2
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 0.10.1-150000.1.17.1
- (no CPE)range: < 4.3.21-150000.3.98.1
- (no CPE)range: < 4.3.21-150000.3.98.1
- (no CPE)range: < 0.5.0-150000.1.12.3
- (no CPE)range: < 0.5.0-150000.1.12.3
- (no CPE)range: < 2.9.27-159000.3.9.1
- (no CPE)range: < 9.16.6-150000.12.65.1
- (no CPE)range: < 9.16.6-150000.12.65.1
- (no CPE)range: < 9.16.6-150000.12.65.1
- (no CPE)range: < 9.16.6-150000.12.65.1
- (no CPE)range: < 9.16.6-150000.12.65.1
- (no CPE)range: < 9.16.6-150000.12.65.1
- (no CPE)range: < 9.16.6-150000.12.65.1
- (no CPE)range: < 9.16.6-150000.12.65.1
- (no CPE)range: < 0.1.1681904360.84ef141-150000.1.50.1
- (no CPE)range: < 0.1.1681904360.84ef141-159000.3.30.1
- (no CPE)range: < 0.1.1681904360.84ef141-159000.3.30.1
- (no CPE)range: < 0.1.1681904360.84ef141-150000.1.50.1
- (no CPE)range: < 1.6-4.9.2
- (no CPE)range: < 1.6-159000.4.9.1
- (no CPE)range: < 1.0.0-1.21.2
- (no CPE)range: < 1.0.0-4.12.4
- (no CPE)range: < 1.0.0-150000.1.20.1
- (no CPE)range: < 1.0.0-159000.4.12.1
- (no CPE)range: < 1.0.0-150000.1.20.1
- (no CPE)range: < 1.0.0-150000.1.20.1
- (no CPE)range: < 0.26.0-1.24.2
- (no CPE)range: < 0.26.0-4.12.4
- (no CPE)range: < 1.5.0-4.15.4
- (no CPE)range: < 2.45.0-1.50.2
- (no CPE)range: < 2.45.0-4.33.3
- (no CPE)range: < 2.45.0-150000.3.53.1
- (no CPE)range: < 2.45.0-159000.6.33.1
- (no CPE)range: < 0.14.0-4.12.2
- (no CPE)range: < 0.4.0-4.6.2
- (no CPE)range: < 0.4.0-159000.4.6.1
- (no CPE)range: < 0.4.0-159000.4.6.1
- (no CPE)range: < 9.5.1-150200.3.41.3
- (no CPE)range: < 9.5.8-150200.3.53.2
- (no CPE)range: < 9.5.1-1.48.1
- (no CPE)range: < 9.5.8-4.21.2
- (no CPE)range: < 9.5.1-150000.1.48.5
- (no CPE)range: < 9.5.8-159000.4.24.1
- (no CPE)range: < 0.1.1687520761.cefb248-4.15.2
- (no CPE)range: < 4.3.7-1.41.1
- (no CPE)range: < 4.3.7-150000.1.41.1
- (no CPE)range: < 5.0.1-4.21.4
- (no CPE)range: < 5.0.1-159000.4.21.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-1.46.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 12.22.10-4.29.3
- (no CPE)range: < 12.22.10-4.29.3
- (no CPE)range: < 12.22.10-4.29.3
- (no CPE)range: < 12.22.10-1.42.2
- (no CPE)range: < 12.22.10-4.29.3
- (no CPE)range: < 12.22.10-4.29.3
- (no CPE)range: < 12.22.10-4.29.3
- (no CPE)range: < 12.22.10-4.29.3
- (no CPE)range: < 12.22.10-4.29.3
- (no CPE)range: < 12.22.10-4.29.3
- (no CPE)range: < 12.22.10-4.29.3
- (no CPE)range: < 14.19.0-15.27.1
- (no CPE)range: < 14.19.0-15.27.1
- (no CPE)range: < 14.19.0-15.27.1
- (no CPE)range: < 14.19.0-6.24.1
- (no CPE)range: < 14.19.0-15.27.1
- (no CPE)range: < 14.19.0-15.27.1
- (no CPE)range: < 14.19.0-15.27.1
- (no CPE)range: < 14.19.0-15.27.1
- (no CPE)range: < 14.19.0-15.27.1
- (no CPE)range: < 14.19.0-15.27.1
- (no CPE)range: < 14.19.0-15.27.1
- (no CPE)range: < 8.17.0-3.54.2
- (no CPE)range: < 8.17.0-10.19.2
- (no CPE)range: < 8.17.0-3.54.2
- (no CPE)range: < 8.17.0-3.54.2
- (no CPE)range: < 8.17.0-10.19.2
- (no CPE)range: < 8.17.0-10.19.2
- (no CPE)range: < 8.17.0-3.54.2
- (no CPE)range: < 8.17.0-3.54.2
- (no CPE)range: < 8.17.0-3.54.2
- (no CPE)range: < 8.17.0-3.54.2
- (no CPE)range: < 8.17.0-10.19.2
- (no CPE)range: < 8.17.0-10.19.2
- (no CPE)range: < 8.17.0-3.54.2
- (no CPE)range: < 8.17.0-3.54.2
- (no CPE)range: < 8.17.0-3.54.2
- (no CPE)range: < 8.17.0-10.19.2
- (no CPE)range: < 8.17.0-10.19.2
- (no CPE)range: < 8.17.0-10.19.2
- (no CPE)range: < 8.17.0-10.19.2
- (no CPE)range: < 2.0-3.4.1
- (no CPE)range: < 2.0-3.4.1
- (no CPE)range: < 2.0-3.4.1
- (no CPE)range: < 2.0-3.4.1
- (no CPE)range: < 2.0-3.4.1
- (no CPE)range: < 2.0-3.4.1
- (no CPE)range: < 2.0-3.4.1
- (no CPE)range: < 2.0-3.4.1
- (no CPE)range: < 2.0-3.4.1
- (no CPE)range: < 2.0-3.4.1
- (no CPE)range: < 2.0-3.4.1
- (no CPE)range: < 2.0-3.4.1
- (no CPE)range: < 2.0-3.4.1
- (no CPE)range: < 2.0-3.4.1
- (no CPE)range: < 2.0-3.4.1
- (no CPE)range: < 2.0-3.4.1
- (no CPE)range: < 2.0-3.4.1
- (no CPE)range: < 2.0-3.4.1
- (no CPE)range: < 2.0-3.4.1
- (no CPE)range: < 0.24.0-3.6.3
- (no CPE)range: < 0.24.0-159000.3.6.1
- (no CPE)range: < 0.24.0-159000.3.6.1
- (no CPE)range: < 0.10.1-1.17.2
- (no CPE)range: < 0.10.1-3.6.4
- (no CPE)range: < 0.10.1-150000.1.17.1
- (no CPE)range: < 0.10.1-159000.3.6.1
- (no CPE)range: < 2.3.5-15.12.2
- (no CPE)range: < 2.3.5-159000.5.13.1
- (no CPE)range: < 6.7.3-159000.3.6.1
- (no CPE)range: < 5.0.1-24.30.3
- (no CPE)range: < 5.0.1-159000.6.30.1
- (no CPE)range: < 4.3.21-38.121.1
- (no CPE)range: < 5.0.1-41.42.3
- (no CPE)range: < 4.3.21-150000.3.98.1
- (no CPE)range: < 5.0.1-159000.6.42.1
- (no CPE)range: < 4.3.18-52.95.2
- (no CPE)range: < 4.3.18-150000.3.86.2
- (no CPE)range: < 5.0.1-159000.6.48.1
- (no CPE)range: < 1.2.2-9.9.2
- (no CPE)range: < 1.2.2-159000.5.9.1
- (no CPE)range: < 5.0.1-9.15.2
- (no CPE)range: < 5.0.1-159000.6.15.1
- (no CPE)range: < 1.0.0-3.7.2
- (no CPE)range: < 1.0.0-3.7.2
- (no CPE)range: < 4.3.8-1.33.1
- (no CPE)range: < 5.0.1-3.33.3
- (no CPE)range: < 4.3.8-150000.1.33.1
- (no CPE)range: < 5.0.1-159000.3.33.1
- (no CPE)range: < 4.3.10-150000.1.15.1
- (no CPE)range: < 5.0.1-159000.3.9.1
- (no CPE)range: < 5.0.1-159000.3.9.1
- (no CPE)range: < 4.3.10-150000.1.15.1
- (no CPE)range: < 1.0.14-30.42.1
- (no CPE)range: < 1.0.14-150000.3.35.1
- (no CPE)range: < 1.0.14-150000.3.35.1
- (no CPE)range: < 1.0.14-150000.3.35.1
- kriszyp/kriszyp/json-schemav5Range: unspecified
Patches
3f6f6a3b02d66Use a little more robust method of checking instances
1 file changed · +1 −1
lib/validate.js+1 −1 modified@@ -208,7 +208,7 @@ var validate = exports._validate = function(/*Any*/instance,/*Object*/schema,/*O for(var i in objTypeDef){ if(objTypeDef.hasOwnProperty(i) && i != '__proto__' && i != 'constructor'){ - var value = instance[i]; + var value = instance.hasOwnProperty(i) ? instance[i] : undefined; // skip _not_ specified properties if (value === undefined && options.existingOnly) continue; var propDef = objTypeDef[i];
b62f1da1ff54Protect against constructor modification, #84
1 file changed · +1 −1
lib/validate.js+1 −1 modified@@ -207,7 +207,7 @@ var validate = exports._validate = function(/*Any*/instance,/*Object*/schema,/*O } for(var i in objTypeDef){ - if(objTypeDef.hasOwnProperty(i) && i != '__proto__'){ + if(objTypeDef.hasOwnProperty(i) && i != '__proto__' && i != 'constructor'){ var value = instance[i]; // skip _not_ specified properties if (value === undefined && options.existingOnly) continue;
22f146111f54Don't allow __proto__ property to be used for schema default/coerce, fixes #84
3 files changed · +29 −1
.gitignore+2 −0 modified@@ -1 +1,3 @@ node_modules +yarn.lock +.vscode \ No newline at end of file
lib/validate.js+1 −1 modified@@ -207,7 +207,7 @@ var validate = exports._validate = function(/*Any*/instance,/*Object*/schema,/*O } for(var i in objTypeDef){ - if(objTypeDef.hasOwnProperty(i)){ + if(objTypeDef.hasOwnProperty(i) && i != '__proto__'){ var value = instance[i]; // skip _not_ specified properties if (value === undefined && options.existingOnly) continue;
test/tests.js+26 −0 modified@@ -92,4 +92,30 @@ var suite = vows.describe('JSON Schema').addBatch({ 'Json-Ref self-validates': assertSelfValidates('json-ref'), 'Json-Ref/Hyper': assertValidates('json-ref', 'hyper-schema'), 'Json-Ref/Core': assertValidates('json-ref', 'schema')*/ + prototypePollution: function() { + console.log('testing') + const instance = JSON.parse(` + { + "$schema":{ + "type": "object", + "properties":{ + "__proto__": { + "type": "object", + + "properties":{ + "polluted": { + "type": "string", + "default": "polluted" + } + } + } + }, + "__proto__": {} + } + }`); + + const a = {}; + validate(instance); + assert.equal(a.polluted, undefined); + } }).export(module);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-896r-f27r-55mwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3918ghsaADVISORY
- github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741ghsaWEB
- github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93aghsaWEB
- github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfaghsaWEB
- huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9ghsaWEB
- lists.debian.org/debian-lts-announce/2022/12/msg00013.htmlghsamailing-listWEB
- security.netapp.com/advisory/ntap-20250117-0004ghsaWEB
News mentions
0No linked articles in our index yet.