json-pointer index.js set prototype pollution
Description
Prototype pollution vulnerability in json-pointer library's set function allows remote attackers to modify object prototypes, leading to potential code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution vulnerability in json-pointer library's set function allows remote attackers to modify object prototypes, leading to potential code execution.
Vulnerability
Description CVE-2022-4742 is a critical prototype pollution vulnerability in the json-pointer library (versions up to 0.6.1). The flaw resides in the set function within index.js, which fails to properly validate pointer tokens when setting values on objects. An attacker can craft a malicious JSON pointer that includes __proto__, constructor, or prototype tokens, leading to uncontrolled modification of an object's prototype chain [1][2].
Exploitation
The attack can be launched remotely without authentication, as the library is commonly used in server-side JavaScript applications to manipulate JSON objects. By supplying a specially crafted pointer (e.g., ['__proto__', 'polluted']), an attacker can pollute the global Object.prototype, affecting all objects in the application [2][4]. The fix introduced in version 0.6.2 adds a check to ensure pointer tokens are strings or numbers before processing, preventing prototype pollution via array-based pointers [4].
Impact
Successful exploitation allows an attacker to inject properties into the base prototype, which can lead to denial of service, property injection, or potentially remote code execution depending on how the application uses the polluted properties. This vulnerability is classified as critical due to its remote exploitability and broad impact [1].
Mitigation
Users should upgrade to json-pointer version 0.6.2 or later, which includes the patch identified by commit 859c9984b6c407fc2d5a0a7e47c7274daa681941 [4]. No workarounds are available; upgrading is the recommended action [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
json-pointernpm | < 0.6.2 | 0.6.2 |
Affected products
2- json-pointer/json-pointerdescription
Patches
1859c9984b6c4Merge pull request #36 from hhomar/fix-prototype-pollution
2 files changed · +12 −0
index.js+3 −0 modified@@ -75,6 +75,9 @@ api.set = function set (obj, pointer, value) { for (var i = 0; i < refTokens.length - 1; ++i) { var tok = refTokens[i]; + if (typeof tok !== 'string' && typeof tok !== 'number') { + tok = String(tok) + } if (tok === "__proto__" || tok === "constructor" || tok === "prototype") { continue }
test/test.js+9 −0 modified@@ -446,6 +446,15 @@ describe('convenience api wrapper', function() { expect(obj2.polluted).to.be.undefined(); }); + it('should not set __proto__ (array)', function () { + var obj = {}, objPointer = pointer(obj); + expect(obj.polluted).to.be.undefined(); + objPointer.set([['__proto__'], 'polluted'], true); + expect(obj.polluted).to.be.undefined(); + var obj2 = {}; + expect(obj2.polluted).to.be.undefined(); + }); + it('should not set prototype', function () { var obj = {}, objPointer = pointer(obj); expect(obj.polluted).to.be.undefined();
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/manuelstofer/json-pointer/commit/859c9984b6c407fc2d5a0a7e47c7274daa681941ghsapatchWEB
- github.com/advisories/GHSA-6xrf-q977-5vgcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-4742ghsaADVISORY
- github.com/manuelstofer/json-pointer/pull/36ghsaissue-trackingWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.