Prototype Pollution Flaw in json8-merge-patch Package by npm
CVE-2020-8268

7.5HIGH

Key Information:

Vendor: Json8-merge-patch Project
Status: Json8-merge-patch
Vendor: CVE Published:; 9 November 2020

🔔 Create Json8-merge-patch Project Vulnerability Alert

What is CVE-2020-8268?

The json8-merge-patch npm package is affected by a prototype pollution vulnerability that enables attackers to inject or modify methods and properties of the global object constructor. This flaw can lead to unexpected behavior in applications using this package, potentially compromising security and integrity. Version 1.0.3 and earlier are impacted, making it essential for developers to update to mitigate risks associated with this vulnerability.

Affected Version(s)

json8-merge-patch Fixed Version: 1.0.3

References

https://hackerone.com/reports/980649

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 9, 2020
Vulnerability Reserved
Jan 28, 2020

CVE-2020-8268 Data

JSON