High severity8.1NVD Advisory· Published May 20, 2024· Updated Apr 15, 2026

CVE-2024-29651

Description

A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v.11.0.0 and v.11.1.0 allows a remote attacker to execute arbitrary code via the bundle(), parse(), resolve(), dereference() functions.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@apidevtools/json-schema-ref-parsernpm	>= 11.0.0, < 11.2.0	11.2.0

Patches

8cad7f72c15b

fix(prototype): prevent prototype pollution

https://github.com/APIDevTools/json-schema-ref-parserJonLuca DeCaroMar 5, 2024via ghsa

commit

1 file changed · +2 −1

lib/options.ts+2 −1 modified

@@ -182,7 +182,8 @@ export type ParserOptions = DeepPartial<$RefParserOptions>;
  */
 function merge(target: any, source: any) {
   if (isMergeable(source)) {
-    const keys = Object.keys(source);
+    // prevent prototype pollution
+    const keys = Object.keys(source).filter((key) => !["__proto__", "constructor", "prototype"].includes(key));
     for (let i = 0; i < keys.length; i++) {
       const key = keys[i];
       const sourceSetting = source[key];

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000