Fix CVE–2021–3918

[debricked]

CVE–2021–3918

Vulnerability details

Description

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

NVD

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

GitHub

json-schema is vulnerable to Prototype Pollution

json-schema before version 0.4.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').

CVSS details - 9.8

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity	High
Availability	High

References

    NVD - CVE-2021-3918
    json-schema is vulnerable to Prototype Pollution · CVE-2021-3918 · GitHub Advisory Database · GitHub
    Don't allow proto property to be used for schema default/coerce, … · kriszyp/json-schema@22f1461 · GitHub
    Prototype Pollution vulnerability found in json-schema
    Create SECURITY.md · Issue #84 · kriszyp/json-schema · GitHub
    GitHub - kriszyp/json-schema: JSON Schema specifications, reference schemas, and a CommonJS implementation
    json-schema/validate.js at master · kriszyp/json-schema · GitHub
    Protect against constructor modification, #84 · kriszyp/json-schema@b62f1da · GitHub
    Use a little more robust method of checking instances · kriszyp/json-schema@f6f6a3b · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE