Miggo Logo
Miggo Vulnerability Database
CVE-2022-25862

CVE-2022-25862:
Prototype Pollution in sds

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-25862
GHSA ID
GHSA-ph28-wwfj-fv7f
EPSS Score
0.37852%
CWE
CWE-1321
Published
5/14/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
sdsnpm<= 4.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the set function's incomplete validation of keypaths. Though it explicitly blocks 'proto' (the fix for CVE-2020-7618), it doesn't account for alternative prototype pollution vectors like 'constructor.prototype'. The recursive property creation logic (lines 23-34 in the provided set.js) combined with the lack of validation for prototype chain manipulation allows attackers to inject properties into Object.prototype. This matches the CWE-1321 pattern of improper prototype attribute control and aligns with the advisory's description of an incomplete fix for a previous prototype pollution vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** s*s *rom *.*.*. T** li*r*ry *oul* ** tri*k** into ***in* or mo*i*yin* prop*rti*s o* t** O*j**t.prototyp* *y **usin* t** s*t *un*tion lo**t** in js/s*t.js. **Not*:** T*is vuln*r**ility **riv*s *rom *n in*ompl*t* *ix to *V*-***

Reasoning

T** vuln*r**ility st*ms *rom t** s*t *un*tion's in*ompl*t* v*li**tion o* k*yp*t*s. T*ou** it *xpli*itly *lo*ks '__proto__' (t** *ix *or *V*-****-****), it *o*sn't ***ount *or *lt*rn*tiv* prototyp* pollution v**tors lik* '*onstru*tor.prototyp*'. T** r