3.7

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-m56h-5xx3-2jc2

EPSS Score

CWE

CWE-1321

Published

12/18/2024

Updated

1/7/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-m56h-5xx3-2jc2

GHSA-m56h-5xx3-2jc2: Prototype pollution in jsii.configureCategories

Summary

jsii is a TypeScript to JavaScript compiler that also extracts an interface definition manifest to generate RPC stubs in various programming languages. jsii is typically used as a command-line tool, but it can also be loaded as a library. When loaded as a library into a larger application, prototype pollution may happen if untrusted user input is passed to the library. When used as a command line-tool, this pollution cannot occur.

Impact

You may be impacted if you have written an application that loads jsii as a library, and passes untrusted user input into the jsii.configureCategories() function. In that case, a user can craft input in such a way that, following the invocation, a field named "category" with a user-controlled value is added to the JavaScript Object prototype. This will cause every object in the program (both new and existing) to have a field named "category", even if it shouldn't.

This will not affect jsii itself, but it might affect the application you have loaded jsii into.

The function jsii.configureCategories() is used to configure the severity (error, warning, etc.) of various jsii diagnostics.

Impacted versions: <=5.7.2, <=5.6.3, <=5.5.14, <=5.4.45

Example:

const jsii = require('jsii');

// prints 'undefined'
console.log(JSON.stringify({}.category))

// calling 'configureCategories' with user input
jsii.configureCategories(JSON.parse('{"__proto__": "user-input"}'))

// from this point onwards, every single object literal in the program
// will contain the 'category' key, with user controlled value
console.log(JSON.stringify({}.category)) // prints 'user-input'


// this can affect the execution of the main program in case it also makes 
// use of an object key called 'category'. for example, if the main programs 
// happens to have code like this:

const x = {} // some object in the main program (not necessarily empty)

if (x.category) {
  // this block will always be executed, effectively 
  // changing the behavior of the main program.
  console.log('Do something')
} else {
  console.log('Do something else')
}

Miggo Vulnerability Database

→

GHSA-m56h-5xx3-2jc2

GHSA-m56h-5xx3-2jc2:

3.7

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-m56h-5xx3-2jc2

EPSS Score

CWE

CWE-1321

Published

12/18/2024

Updated

1/7/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
jsii	npm	>= 5.7.0, < 5.7.3	5.7.3
jsii	npm	>= 5.6.0, < 5.6.4	5.6.4
jsii	npm	>= 5.5.0, < 5.5.15	5.5.15
jsii	npm	>= 5.4.0, < 5.4.46	5.4.46

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability documentation explicitly identifies jsii.configureCategories() as the entry point. The example shows prototype pollution occurs when untrusted input is passed to this function. The patch notes reference changes to 'use maps instead of literals in configureCategories', indicating the function was previously using unsafe object property assignment. The CWE-1321 (Prototype Pollution) classification aligns with this function's behavior of merging user input into objects without sanitizing prototype-modifying properties like proto.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.7

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-m56h-5xx3-2jc2: Prototype pollution in jsii.configureCategories

Summary

Impact

GHSA-m56h-5xx3-2jc2:

3.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

3.7

3.7

Basic Information

Basic Information

GHSA-m56h-5xx3-2jc2: Prototype pollution in jsii.configureCategories

Summary

Impact

Patches

Workarounds

References

Credits

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI