deep-parse-json 1.0.2 - Prototype Pollution

Vulnerability

Overview

CVE-2022-42743 is a prototype pollution vulnerability in the deep-parse-json JavaScript library version 1.0.2. The library's deepParseJson function recursively parses stringified JSON input but fails to validate incoming JSON keys, specifically allowing the __proto__ property to be set. This enables an external attacker to inject or modify properties of an object's prototype [1][2][4].

Exploitation

Conditions

The vulnerability is exploitable over the network without authentication or user interaction, as reflected in its CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) [4]. An attacker can craft a JSON payload containing a __proto__ key to pollute the object's prototype chain. Since the library is used to recursively parse JSON strings, any application that processes untrusted JSON input with deepParseJson is at risk [2][3].

Impact

Successful exploitation allows an attacker to add or edit properties on all objects that inherit from the polluted prototype. This can lead to unexpected behavior, property overwriting, and potentially further escalation depending on how the parsed object is used within the application. The vulnerability has a severity score of 7.3 (High) [4].

Mitigation

Status

As of the public disclosure date (October 2022) and the advisory from Fluid Attacks, there is no patch available for this vulnerability [4]. Users of deep-parse-json 1.0.2 should consider alternative parsing libraries or apply input sanitization to block __proto__ and constructor.prototype keys until a fix is released [2][4].