Miggo Logo

CVE-2020-8237: Uncontrolled Resource Consumption in json-bigint

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.63823%
Published
5/7/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
json-bigintnpm< 1.0.01.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of proto and constructor properties during JSON object parsing. The security patch adds regex-based detection (suspectProtoRx/suspectConstructorRx) and validation logic in the object() function within lib/parse.js. In vulnerable versions (<1.0.0), this function would process these dangerous properties without checks, enabling prototype pollution. The runtime detection would show the object parsing function being called with malicious keys, as this is where the unsafe property assignment occurred before mitigation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Prototyp* pollution in json-*i*int npm p**k*** < *.*.* m*y l*** to * **ni*l-o*-s*rvi** (*oS) *tt**k.

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* __proto__ *n* *onstru*tor prop*rti*s *urin* JSON o*j**t p*rsin*. T** s**urity p*t** ***s r***x-**s** **t**tion (susp**tProtoRx/susp**t*onstru*torRx) *n* v*li**tion lo*i* in t** o*j**t() *un*tion wit*i