VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-y3ey-aab7-q3fk

Essentials
Severities (34)
References (22)
Severity details (23)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-y3ey-aab7-q3fk
Aliases	CVE-2022-46175 GHSA-9c47-m6qq-7p4h
Summary	Prototype Pollution in JSON5 via Parse Method The `parse` method of the JSON5 library before and including version `2.2.1` does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. ## Impact This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. ## Mitigation This vulnerability is patched in json5 v2.2.2 and later. A patch has also been backported for json5 v1 in versions v1.0.2 and later. ## Details Suppose a developer wants to allow users and admins to perform some risky operation, but they want to restrict what non-admins can do. To accomplish this, they accept a JSON blob from the user, parse it using `JSON5.parse`, confirm that the provided data does not set some sensitive keys, and then performs the risky operation using the validated data: ```js const JSON5 = require('json5'); const doSomethingDangerous = (props) => { if (props.isAdmin) { console.log('Doing dangerous thing as admin.'); } else { console.log('Doing dangerous thing as user.'); } }; const secCheckKeysSet = (obj, searchKeys) => { let searchKeyFound = false; Object.keys(obj).forEach((key) => { if (searchKeys.indexOf(key) > -1) { searchKeyFound = true; } }); return searchKeyFound; }; const props = JSON5.parse('{"foo": "bar"}'); if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) { doSomethingDangerous(props); // "Doing dangerous thing as user." } else { throw new Error('Forbidden...'); } ``` If the user attempts to set the `isAdmin` key, their request will be rejected: ```js const props = JSON5.parse('{"foo": "bar", "isAdmin": true}'); if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) { doSomethingDangerous(props); } else { throw new Error('Forbidden...'); // Error: Forbidden... } ``` However, users can instead set the `__proto__` key to `{"isAdmin": true}`. `JSON5` will parse this key and will set the `isAdmin` key on the prototype of the returned object, allowing the user to bypass the security check and run their request as an admin: ```js const props = JSON5.parse('{"foo": "bar", "__proto__": {"isAdmin": true}}'); if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) { doSomethingDangerous(props); // "Doing dangerous thing as admin." } else { throw new Error('Forbidden...'); } ```
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1321	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	8.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-46175.json
epss	0.46501	https://api.first.org/data/v1/epss?cve=CVE-2022-46175
epss	0.46501	https://api.first.org/data/v1/epss?cve=CVE-2022-46175
epss	0.46501	https://api.first.org/data/v1/epss?cve=CVE-2022-46175
epss	0.46501	https://api.first.org/data/v1/epss?cve=CVE-2022-46175
epss	0.46501	https://api.first.org/data/v1/epss?cve=CVE-2022-46175
epss	0.46501	https://api.first.org/data/v1/epss?cve=CVE-2022-46175
epss	0.46501	https://api.first.org/data/v1/epss?cve=CVE-2022-46175
epss	0.46501	https://api.first.org/data/v1/epss?cve=CVE-2022-46175
epss	0.46501	https://api.first.org/data/v1/epss?cve=CVE-2022-46175
epss	0.46501	https://api.first.org/data/v1/epss?cve=CVE-2022-46175
epss	0.46501	https://api.first.org/data/v1/epss?cve=CVE-2022-46175
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-9c47-m6qq-7p4h
cvssv3.1	7.1	https://github.com/json5/json5
generic_textual	HIGH	https://github.com/json5/json5
cvssv3.1	7.1	https://github.com/json5/json5/commit/62a65408408d40aeea14c7869ed327acead12972
generic_textual	HIGH	https://github.com/json5/json5/commit/62a65408408d40aeea14c7869ed327acead12972
cvssv3.1	7.1	https://github.com/json5/json5/commit/7774c1097993bc3ce9f0ac4b722a32bf7d6871c8
generic_textual	HIGH	https://github.com/json5/json5/commit/7774c1097993bc3ce9f0ac4b722a32bf7d6871c8
cvssv3.1	7.1	https://github.com/json5/json5/issues/199
generic_textual	HIGH	https://github.com/json5/json5/issues/199
cvssv3.1	7.1	https://github.com/json5/json5/issues/295
generic_textual	HIGH	https://github.com/json5/json5/issues/295
cvssv3.1	7.1	https://github.com/json5/json5/pull/298
generic_textual	HIGH	https://github.com/json5/json5/pull/298
cvssv3.1	7.1	https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h
cvssv3.1_qr	HIGH	https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h
generic_textual	HIGH	https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h
cvssv3.1	7.1	https://lists.debian.org/debian-lts-announce/2023/11/msg00021.html
generic_textual	HIGH	https://lists.debian.org/debian-lts-announce/2023/11/msg00021.html
cvssv3.1	7.1	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE
generic_textual	HIGH	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE
cvssv3.1	7.1	https://nvd.nist.gov/vuln/detail/CVE-2022-46175
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2022-46175

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-46175.json
		https://api.first.org/data/v1/epss?cve=CVE-2022-46175
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46175
		https://github.com/json5/json5
		https://github.com/json5/json5/commit/62a65408408d40aeea14c7869ed327acead12972
		https://github.com/json5/json5/commit/7774c1097993bc3ce9f0ac4b722a32bf7d6871c8
		https://github.com/json5/json5/issues/199
		https://github.com/json5/json5/issues/295
		https://github.com/json5/json5/pull/298
		https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h
		https://lists.debian.org/debian-lts-announce/2023/11/msg00021.html
		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE
		https://nvd.nist.gov/vuln/detail/CVE-2022-46175
1027145		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027145
2156263		https://bugzilla.redhat.com/show_bug.cgi?id=2156263
GHSA-9c47-m6qq-7p4h		https://github.com/advisories/GHSA-9c47-m6qq-7p4h
RHSA-2023:0634		https://access.redhat.com/errata/RHSA-2023:0634
RHSA-2023:0934		https://access.redhat.com/errata/RHSA-2023:0934
RHSA-2023:1428		https://access.redhat.com/errata/RHSA-2023:1428
RHSA-2023:3742		https://access.redhat.com/errata/RHSA-2023:3742
RHSA-2024:4631		https://access.redhat.com/errata/RHSA-2024:4631
USN-6758-1		https://usn.ubuntu.com/6758-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-46175.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H Found at https://github.com/json5/json5

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H Found at https://github.com/json5/json5/commit/62a65408408d40aeea14c7869ed327acead12972

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H Found at https://github.com/json5/json5/commit/7774c1097993bc3ce9f0ac4b722a32bf7d6871c8

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H Found at https://github.com/json5/json5/issues/199

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H Found at https://github.com/json5/json5/issues/295

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H Found at https://github.com/json5/json5/pull/298

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H Found at https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H Found at https://lists.debian.org/debian-lts-announce/2023/11/msg00021.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-46175

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.97641
EPSS Score	0.46501
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:05:56.530478+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-9c47-m6qq-7p4h/GHSA-9c47-m6qq-7p4h.json	38.0.0