CVE-2022-25352: Prototype Pollution in libnested
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.64123%
CWE
Published
3/18/2022
Updated
1/27/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
libnested | npm | < 1.5.2 | 1.5.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- The vulnerability description explicitly states the set function is the entry point
- The commit diff shows critical modifications to the set function's path traversal loop
- The patch adds prototype pollution checks within the for-loop of the set function
- Test cases added in the commit specifically target prototype pollution scenarios via the set function
- The CVE references an incomplete fix from a previous prototype pollution vulnerability (CVE-2020-28283) in the same function
- The isPrototypePolluted helper function was modified to handle key.toString(), indicating previous string comparison issues in the vulnerable version