Miggo Logo
Miggo Vulnerability Database
CVE-2022-25352

CVE-2022-25352: Prototype Pollution in libnested

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-25352
GHSA ID
GHSA-x5m8-2r8v-8f97
EPSS Score
0.64123%
CWE
CWE-1321
Published
3/18/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
libnestednpm< 1.5.21.5.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability description explicitly states the set function is the entry point
  2. The commit diff shows critical modifications to the set function's path traversal loop
  3. The patch adds prototype pollution checks within the for-loop of the set function
  4. Test cases added in the commit specifically target prototype pollution scenarios via the set function
  5. The CVE references an incomplete fix from a previous prototype pollution vulnerability (CVE-2020-28283) in the same function
  6. The isPrototypePolluted helper function was modified to handle key.toString(), indicating previous string comparison issues in the vulnerable version

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** li*n*st** ***or* *.*.* *r* vuln*r**l* to Prototyp* Pollution vi* t** s*t *un*tion in in**x.js. **Not*:** T*is vuln*r**ility **riv*s *rom *n in*ompl*t* *ix *or [*V*-****-*****](*ttps://s**urity.snyk.io/vuln/SNYK-JS-LI*N*ST**-*******)

Reasoning

*. T** vuln*r**ility **s*ription *xpli*itly st*t*s t** s*t *un*tion is t** *ntry point *. T** *ommit *i** s*ows *riti**l mo*i*i**tions to t** s*t *un*tion's p*t* tr*v*rs*l loop *. T** p*t** ***s prototyp* pollution ****ks wit*in t** *or-loop o* t** s