CVE-2022-22912
Description
Prototype pollution in Plist.js .parse() before v3.0.4 can lead to DoS and potential RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in Plist.js .parse() before v3.0.4 can lead to DoS and potential RCE.
Vulnerability
A prototype pollution vulnerability exists in the parse() function of the Plist.js library (Apple property list parser) before version 3.0.4 [1]. The bug allows an attacker to inject properties into the global Object.prototype by crafting a malicious plist XML containing keys such as __proto__. The parser does not sanitize these special keys, enabling pollution of the prototype chain [3].
Exploitation
An attacker can exploit this by providing a specially crafted plist file or string to the parse() function. As demonstrated in [3], a malicious XML payload like __proto__lengthpolluted causes Object.prototype.length to be set to the string "polluted". No authentication or special privileges are required; the attacker only needs to supply the malicious input to application that parses it [2].
Impact
Successful prototype pollution can alter the behavior of objects across the application, potentially leading to Denial of Service (DoS) due to unexpected property changes. In some execution contexts, this can be escalated to remote code execution (RCE) if the polluted property affects control flow or security checks [2]. The CVSS score of the vulnerability is not explicitly provided in the references, but the impact spans both availability and potential integrity/confidentiality.
Mitigation
The vulnerability was fixed in version 3.0.4 of Plist.js. The fix, implemented in commit [4], adds a check that throws an error if a key is __proto__. Users should upgrade to v3.0.4 or later. No known workarounds exist besides upgrading. The package is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
plistnpm | < 3.0.5 | 3.0.5 |
Affected products
2- Plist/Plistdescription
Patches
196e2303d059eMerge pull request #118 from mario-canva/master
2 files changed · +18 −0
lib/parse.js+6 −0 modified@@ -153,6 +153,12 @@ function parsePlistXML (node) { if (isEmptyNode(node)) { return ''; } + + invariant( + node.childNodes[0].nodeValue !== '__proto__', + '__proto__ keys can lead to prototype pollution. More details on CVE-2022-22912' + ); + return node.childNodes[0].nodeValue; } else if (node.nodeName === 'string') { res = '';
test/parse.js+12 −0 modified@@ -187,6 +187,18 @@ U=</data> ); assert.deepEqual(parsed, { a: { a1: true } }); }); + + /* Test to protect against CVE-2022-22912 */ + it('should throw if key value is __proto__', function () { + assert.throws(function () { + parseFixture('<dict><key>__proto__</key><dict><key>length</key><string>polluted</string></dict></dict>'); + }); + + // adding backslash should still be protected. + assert.throws(function () { + parseFixture('<dict><key>_\_proto_\_</key><dict><key>length</key><string>polluted</string></dict></dict>'); + }); + }); }); describe('integration', function () {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-4cpg-3vgw-4877ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-22912ghsaADVISORY
- github.com/TooTallNate/plist.js/commit/96e2303d059e6be0c9e0c4773226d14b4758de52ghsaWEB
- github.com/TooTallNate/plist.js/issues/114ghsax_refsource_MISCWEB
- github.com/TooTallNate/plist.js/pull/118ghsaWEB
News mentions
0No linked articles in our index yet.