7.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2022-1295

GHSA ID

GHSA-vpgw-ffh3-648h

EPSS Score

0.66973%

CWE

CWE-1321

Published

4/12/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-1295

CVE-2022-1295:
Prototype Pollution in fullpage.js

fullPage utils are available to developers using window.fp_utils. They can use these utils for their own use-case (other than fullPage) as well. However, one of the utils deepExtend is vulnerable to Prototype Pollution vulnerability.

Javascript is "prototype" language which means when a new "object" is created, it carries the predefined properties and methods of an "object" with itself like toString, constructor etc. By using prototype-pollution vulnerability, an attacker can overwrite/create the property of that "object" type. If the victim developer has used that property anywhere in the code, then it will have severe effect on the application.

(GitHub Advisory)

7.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2022-1295

GHSA ID

GHSA-vpgw-ffh3-648h

EPSS Score

0.66973%

CWE

CWE-1321

Published

4/12/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
fullpage.js	npm	< 4.0.2	4.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability documentation explicitly identifies deepExtend as the vulnerable utility function. Prototype pollution vulnerabilities typically occur in deep merge functions that don't validate() if target properties are legitimate object properties versus prototype chain properties. The CWE-1321 mapping and advisory context confirm this is a classic case of unsafe recursive object property merging.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ullP*** utils *r* *v*il**l* to **v*lop*rs usin* win*ow.*p_utils. T**y **n us* t**s* utils *or t**ir own us*-**s* (ot**r t**n *ullP***) *s w*ll. *ow*v*r, on* o* t** utils ***p*xt*n* is vuln*r**l* to Prototyp* Pollution vuln*r**ility. J*v*s*ript is "

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly i**nti*i*s `***p*xt*n*` *s t** vuln*r**l* utility *un*tion. Prototyp* pollution vuln*r**iliti*s typi**lly o**ur in ***p m*r** *un*tions t**t *on't `v*li**t*()` i* t*r**t prop*rti*s *r* l**itim*t* o*j**t prop

7.3

Basic Information

Concerned about an active attack path?

CVE-2022-1295: Prototype Pollution in fullpage.js

7.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-1295:
Prototype Pollution in fullpage.js

Vulnerability Intelligence
Miggo AI