VYPR
← All advisories
Critical severityNVD Advisory· Published Jul 1, 2024· Updated Aug 2, 2024

CVE-2024-38993

CVE-2024-38993

Description

Prototype pollution in jsonic-next v2.12.1 via empty and other functions allows arbitrary code execution or denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype pollution in jsonic-next v2.12.1 via empty and other functions allows arbitrary code execution or denial of service.

Vulnerability

CVE-2024-38993 describes a prototype pollution vulnerability in jsonic-next version 2.12.1, a JavaScript library providing a lenient JSON parser from the jsonicjs project [1][2]. The flaw resides in functions such as empty, util.clone, util.prop, util.deep, and make, which fail to sanitize input objects containing the __proto__ property [3]. This allows an attacker to inject arbitrary properties into the global Object.prototype.

Exploitation

An attacker can trigger the vulnerability by passing a crafted JavaScript object (e.g., {"__proto__": {"test": 123}}) to any of the affected functions [3]. The proof-of-concept code demonstrates that calling lib.empty(JSON.parse('{"__proto__": {"test": 123}}')) pollutes the prototype of all objects, as evidenced by the __proto__.test property appearing on a separate victim object [3]. No special network position or authentication is required; the attack vector is local to the client-side application or server-side Node.js environment where the library is used.

Impact

Successful exploitation enables the attacker to corrupt the Object.prototype of the JavaScript runtime, which can lead to arbitrary code execution, denial of service, or cross-site scripting (XSS), depending on how the polluted properties are subsequently used by the application [1][3]. The vulnerability has a CVSS v3.1 base score of 9.8 (Critical), reflecting the high severity and ease of exploitation [3].

Mitigation

As of publication, the vendor has not released a patched version; the advisory recommends avoiding the use of the affected functions with untrusted input or applying input sanitization to block __proto__ keys [1][3]. Users should monitor the jsonicjs/jsonic repository for an update and consider using alternative JSON parsing libraries that are not susceptible to prototype pollution.

References
  1. NVD - CVE-2024-38993
  2. GitHub - jsonicjs/jsonic: JSON parser that isn't strict
  3. [CVE-2024-38993] Vulnerability Advisory Prototype Pollution in @jsonic/jsonic-next, version 2.12.1

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
jsonicnpm
<= 2.12.1

Affected products

2
  • rjrodger/jsonic-nextdescription
  • ghsa-coords
    pkg:npm/jsonic
    Range: <= 2.12.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing sanitization of the `__proto__` key in property assignment allows prototype pollution."

Attack vector

An attacker passes a crafted object containing the `__proto__` property (e.g., `{"__proto__":{"test":123}}`) to any of the vulnerable functions: `empty`, `util.clone`, `util.prop`, `util.deep`, or `make` [ref_id=1]. The function recursively assigns properties onto the target object without checking for `__proto__`, which modifies `Object.prototype` and pollutes all objects inheriting from it [CWE-1321]. This can lead to arbitrary code execution or denial of service depending on the application's use of polluted properties [CWE-94] [ref_id=1].

Affected code

The vulnerable functions are `empty`, `util.clone`, `util.prop`, `util.deep`, and `make` in the `@jsonic/jsonic-next` package version 2.12.1 [ref_id=1]. These functions accept user-supplied objects and recursively assign properties without filtering the special `__proto__` key [ref_id=1].

What the fix does

No patch is included in the bundle. The advisory does not specify a fix or remediation commit [ref_id=1]. To close the vulnerability, the package should sanitize or block the `__proto__`, `constructor.prototype`, and similar prototype-modifying keys during property assignment in each of the listed functions.

Preconditions

  • inputThe application must use @jsonic/jsonic-next version 2.12.1 and call one of the vulnerable functions (empty, util.clone, util.prop, util.deep, make) with attacker-controlled input.
  • authNo authentication is required; the attacker only needs to supply a crafted object to the vulnerable function.

Reproduction

```javascript (async () => { const lib = await import('@jsonic/jsonic-next'); var victim = {} console.log("Before Attack: ", JSON.stringify(victim.__proto__)); try { lib.empty(JSON.parse('{"__proto__":{"test":123}}')); lib.util.clone(JSON.parse('{"__proto__":{"test":123}}')); lib.util.prop(emptyObj, "__proto__.test", 123); lib.util.deep(emptyObj, JSON.parse('{"__proto__":{"test":123}}')); lib.make(JSON.parse('{"__proto__":{"test":123}}')); } catch (e) { } console.log("After Attack: ", JSON.stringify(victim.__proto__)); delete Object.prototype.polluted; })(); ```

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.