CVE-2022-26260: Prototype Pollution in simple-plist
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.4993%
CWE
Published
3/23/2022
Updated
11/29/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
simple-plist | npm | < 1.3.1 | 1.3.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The .parse()
method in simple-plist is identified as vulnerable based on the description of the vulnerability and the patch that updates the plist dependency. The plist package is used by simple-plist for parsing plist files, and the update to plist from 3.0.4 to 3.0.5 is the fix for the vulnerability.