Miggo Logo
Miggo Vulnerability Database
CVE-2022-26260

CVE-2022-26260:
Prototype Pollution in simple-plist

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-26260
GHSA ID
GHSA-gff7-g5r8-mg8m
EPSS Score
0.4993%
CWE
CWE-1321
Published
3/23/2022
Updated
11/29/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
simple-plistnpm< 1.3.11.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The .parse() method in simple-plist is identified as vulnerable based on the description of the vulnerability and the patch that updates the plist dependency. The plist package is used by simple-plist for parsing plist files, and the update to plist from 3.0.4 to 3.0.5 is the fix for the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

simpl*-plist v*.*.* w*s *is*ov*r** to *ont*in * prototyp* pollution vuln*r**ility vi* .p*rs*().

Reasoning

T** `.p*rs*()` m*t*o* in simpl*-plist is i**nti*i** *s vuln*r**l* **s** on t** **s*ription o* t** vuln*r**ility *n* t** p*t** t**t up**t*s t** plist **p*n**n*y. T** plist p**k*** is us** *y simpl*-plist *or p*rsin* plist *il*s, *n* t** up**t* to plis