VYPR
← All advisories
Critical severityNVD Advisory· Published Mar 22, 2022· Updated Aug 3, 2024

CVE-2022-26260

CVE-2022-26260

Description

A prototype pollution vulnerability in simple-plist v1.3.0 allows attackers to pollute Object.prototype via crafted plist XML during .parse().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A prototype pollution vulnerability in simple-plist v1.3.0 allows attackers to pollute Object.prototype via crafted plist XML during .parse().

Vulnerability

Simple-Plist version 1.3.0 contains a prototype pollution vulnerability in the .parse() function. When parsing a specially crafted plist XML, the library does not filter keys such as __proto__, allowing an attacker to inject properties into Object.prototype [1][4].

Exploitation

An attacker can provide a malicious plist XML containing a __proto__ key with nested properties. The attack requires no authentication or special privileges; it only requires that the victim application calls plist.parse() on attacker-controlled input [4].

Impact

Successful exploitation allows the attacker to pollute Object.prototype with arbitrary properties, which can lead to unexpected behavior, denial of service, or further attacks depending on how the application uses the parsed object [4].

Mitigation

The vulnerability is fixed in simple-plist version 1.4.0, which updates the plist dependency to version 3.0.5 [3]. Users should upgrade to version 1.4.0 or later. No known workaround exists.

References
  1. NVD - CVE-2022-26260
  2. fix: update plist to 3.0.5 · wollardj/simple-plist@670e22f
  3. Prototype Pollution using .parse()

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
simple-plistnpm
< 1.3.11.3.1

Affected products

2

Patches

1
670e22fd6e46

fix: update plist to 3.0.5

https://github.com/wollardj/simple-plistRobin CsutorásMar 30, 2022via ghsa
commit
5 files changed · +11 11
  • package.json+1 1 modified
    @@ -32,7 +32,7 @@
   "dependencies": {
     "bplist-creator": "0.1.0",
     "bplist-parser": "0.3.0",
-    "plist": "^3.0.4"
+    "plist": "^3.0.5"
   },
   "devDependencies": {
     "@types/jest": "^27.0.2",
  • .pnp.cjs+5 5 modified
    @@ -44,7 +44,7 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
             ["jest", "virtual:020fc7d94c59e3a3a9c7c102561baf39436220930bc71ae4b32b5080fe8189c54e6fb420af79d5d61c73eef83c6f1a6f5302cc6f1ef959b964e8f0dd7c434720#npm:27.3.1"],
             ["lint-staged", "npm:11.2.4"],
             ["npm-run-all", "npm:4.1.5"],
-            ["plist", "npm:3.0.4"],
+            ["plist", "npm:3.0.5"],
             ["prettier", "npm:2.4.1"],
             ["rimraf", "npm:3.0.2"],
             ["ts-jest", "virtual:020fc7d94c59e3a3a9c7c102561baf39436220930bc71ae4b32b5080fe8189c54e6fb420af79d5d61c73eef83c6f1a6f5302cc6f1ef959b964e8f0dd7c434720#npm:27.0.7"],
@@ -4709,10 +4709,10 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
         }]
       ]],
       ["plist", [
-        ["npm:3.0.4", {
-          "packageLocation": "./.yarn/cache/plist-npm-3.0.4-3d99846fa8-cb5883ed1b.zip/node_modules/plist/",
+        ["npm:3.0.5", {
+          "packageLocation": "./.yarn/cache/plist-npm-3.0.5-7ac7035402-f8b82816f6.zip/node_modules/plist/",
           "packageDependencies": [
-            ["plist", "npm:3.0.4"],
+            ["plist", "npm:3.0.5"],
             ["base64-js", "npm:1.5.1"],
             ["xmlbuilder", "npm:9.0.7"]
           ],
@@ -5092,7 +5092,7 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
             ["jest", "virtual:020fc7d94c59e3a3a9c7c102561baf39436220930bc71ae4b32b5080fe8189c54e6fb420af79d5d61c73eef83c6f1a6f5302cc6f1ef959b964e8f0dd7c434720#npm:27.3.1"],
             ["lint-staged", "npm:11.2.4"],
             ["npm-run-all", "npm:4.1.5"],
-            ["plist", "npm:3.0.4"],
+            ["plist", "npm:3.0.5"],
             ["prettier", "npm:2.4.1"],
             ["rimraf", "npm:3.0.2"],
             ["ts-jest", "virtual:020fc7d94c59e3a3a9c7c102561baf39436220930bc71ae4b32b5080fe8189c54e6fb420af79d5d61c73eef83c6f1a6f5302cc6f1ef959b964e8f0dd7c434720#npm:27.0.7"],
  • .yarn/cache/plist-npm-3.0.4-3d99846fa8-cb5883ed1b.zip+0 0 removed
  • .yarn/cache/plist-npm-3.0.5-7ac7035402-f8b82816f6.zip+0 0 added
  • yarn.lock+5 5 modified
    @@ -3766,13 +3766,13 @@ fsevents@^2.3.2:
   languageName: node
   linkType: hard
 
-"plist@npm:^3.0.4":
-  version: 3.0.4
-  resolution: "plist@npm:3.0.4"
+"plist@npm:^3.0.5":
+  version: 3.0.5
+  resolution: "plist@npm:3.0.5"
   dependencies:
     base64-js: ^1.5.1
     xmlbuilder: ^9.0.7
-  checksum: cb5883ed1b1aa227ddc5f99003750d312a8ac5cfd6f58d3ce0b24939255b175b54f25ebc6adcbd4266105ffd54f6831acb6cb06f529652bb3344215c10f5601b
+  checksum: f8b82816f66559965a4dabf139bd8dd95cdec7e51f32742bb353af276ea8228b9807113743b860eda3e867f6ed70d2bcbc1e135b3204d92b5c37ac765f68444e
   languageName: node
   linkType: hard
 
@@ -4108,7 +4108,7 @@ fsevents@^2.3.2:
     jest: ^27.3.1
     lint-staged: ^11.2.4
     npm-run-all: ^4.1.5
-    plist: ^3.0.4
+    plist: ^3.0.5
     prettier: ^2.4.1
     rimraf: ^3.0.2
     ts-jest: ^27.0.7

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.