Miggo Logo

CVE-2022-22912: Prototype pollution in Plist before 3.0.5 can cause denial of service

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.84909%
Published
2/18/2022
Updated
11/29/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
plistnpm< 3.0.53.0.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the XML parser's handling of '<key>' elements. The unpatched code in parsePlistXML() (lines 153-163 in lib/parse.js) directly used node.childNodes[0].nodeValue for dictionary keys without validating against prototype pollution vectors like 'proto'. The commit 96e2303 added an invariant check specifically in this key-processing path, confirming this was the vulnerable area. The parse() function is the exposed API that triggers this logic. The test cases in test/parse.js demonstrate exploitation via key manipulation, and the CVE description explicitly references .parse() as the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Prototyp* pollution vuln*r**ility vi* `.p*rs*()` in Plist *llows *tt**k*rs to **us* * **ni*l o* S*rvi** (*oS) *n* m*y l*** to r*mot* *o** *x**ution.

Reasoning

T** vuln*r**ility st*ms *rom t** XML p*rs*r's **n*lin* o* '<k*y>' *l*m*nts. T** unp*t**** *o** in p*rs*PlistXML() (lin*s ***-*** in li*/p*rs*.js) *ir**tly us** no**.**il*No**s[*].no**V*lu* *or *i*tion*ry k*ys wit*out v*li**tin* ***inst prototyp* poll