CVE-2020-8237: Uncontrolled Resource Consumption in json-bigint
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.63823%
CWE
Published
5/7/2021
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
json-bigint | npm | < 1.0.0 | 1.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper handling of proto and constructor properties during JSON object parsing. The security patch adds regex-based detection (suspectProtoRx/suspectConstructorRx) and validation logic in the object() function within lib/parse.js. In vulnerable versions (<1.0.0), this function would process these dangerous properties without checks, enabling prototype pollution. The runtime detection would show the object parsing function being called with malicious keys, as this is where the unsafe property assignment occurred before mitigation.