Miggo Logo
Miggo Vulnerability Database
CVE-2022-41713

CVE-2022-41713: deep-object-diff vulnerable to Prototype Pollution

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-41713
GHSA ID
GHSA-653v-rqx9-j85p
EPSS Score
0.20537%
CWE
CWE-1321
Published
11/4/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
deep-object-diffnpm>= 1.1.6, < 1.1.91.1.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from diff functions using {} (Object.prototype-inheriting objects) as accumulators. This allowed attackers to inject proto properties through JSON input. The fix replaced {} with makeObjectWithoutPrototype() (Object.create(null)) in all four core diff functions, as seen in commit 9576963. Each function's pre-patch version could propagate proto properties to Object.prototype when processing malicious input, enabling prototype pollution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

***p-o*j**t-*i** ***or* v*rsion *.*.* *llows *n *xt*rn*l *tt**k*r to **it or *** n*w prop*rti*s to *n o*j**t. T*is is possi*l* ****us* t** *ppli**tion *o*s not prop*rly v*li**t* in*omin* JSON k*ys, t*us *llowin* t** `__proto__` prop*rty to ** **it**.

Reasoning

T** vuln*r**ility st*mm** *rom *i** *un*tions usin* {} (O*j**t.prototyp*-in**ritin* o*j**ts) *s ***umul*tors. T*is *llow** *tt**k*rs to inj**t __proto__ prop*rti*s t*rou** JSON input. T** *ix r*pl**** {} wit* m*k*O*j**tWit*outPrototyp*() (O*j**t.*r**