CVE-2022-22912: Prototype pollution in Plist before 3.0.5 can cause denial of service
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.84909%
CWE
Published
2/18/2022
Updated
11/29/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
plist | npm | < 3.0.5 | 3.0.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the XML parser's handling of '<key>' elements. The unpatched code in parsePlistXML() (lines 153-163 in lib/parse.js) directly used node.childNodes[0].nodeValue for dictionary keys without validating against prototype pollution vectors like 'proto'. The commit 96e2303 added an invariant check specifically in this key-processing path, confirming this was the vulnerable area. The parse() function is the exposed API that triggers this logic. The test cases in test/parse.js demonstrate exploitation via key manipulation, and the CVE description explicitly references .parse() as the attack vector.