Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/348331?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/348331?format=api", "purl": "pkg:npm/json5@1.0.1", "type": "npm", "namespace": "", "name": "json5", "version": "1.0.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.0.2", "latest_non_vulnerable_version": "2.2.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52725?format=api", "vulnerability_id": "VCID-y3ey-aab7-q3fk", "summary": "Prototype Pollution in JSON5 via Parse Method\nThe `parse` method of the JSON5 library before and including version `2.2.1` does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object.\n\nThis vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations.\n\n## Impact\nThis vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.\n\n## Mitigation\nThis vulnerability is patched in json5 v2.2.2 and later. A patch has also been backported for json5 v1 in versions v1.0.2 and later.\n\n## Details\n \nSuppose a developer wants to allow users and admins to perform some risky operation, but they want to restrict what non-admins can do. To accomplish this, they accept a JSON blob from the user, parse it using `JSON5.parse`, confirm that the provided data does not set some sensitive keys, and then performs the risky operation using the validated data:\n \n```js\nconst JSON5 = require('json5');\n\nconst doSomethingDangerous = (props) => {\n if (props.isAdmin) {\n console.log('Doing dangerous thing as admin.');\n } else {\n console.log('Doing dangerous thing as user.');\n }\n};\n\nconst secCheckKeysSet = (obj, searchKeys) => {\n let searchKeyFound = false;\n Object.keys(obj).forEach((key) => {\n if (searchKeys.indexOf(key) > -1) {\n searchKeyFound = true;\n }\n });\n return searchKeyFound;\n};\n\nconst props = JSON5.parse('{\"foo\": \"bar\"}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n doSomethingDangerous(props); // \"Doing dangerous thing as user.\"\n} else {\n throw new Error('Forbidden...');\n}\n```\n \nIf the user attempts to set the `isAdmin` key, their request will be rejected:\n \n```js\nconst props = JSON5.parse('{\"foo\": \"bar\", \"isAdmin\": true}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n doSomethingDangerous(props);\n} else {\n throw new Error('Forbidden...'); // Error: Forbidden...\n}\n```\n \nHowever, users can instead set the `__proto__` key to `{\"isAdmin\": true}`. `JSON5` will parse this key and will set the `isAdmin` key on the prototype of the returned object, allowing the user to bypass the security check and run their request as an admin:\n \n```js\nconst props = JSON5.parse('{\"foo\": \"bar\", \"__proto__\": {\"isAdmin\": true}}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n doSomethingDangerous(props); // \"Doing dangerous thing as admin.\"\n} else {\n throw new Error('Forbidden...');\n}\n ```", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-46175.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-46175.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-46175", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.46501", "scoring_system": "epss", "scoring_elements": "0.9767", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.46501", "scoring_system": "epss", "scoring_elements": "0.97667", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.46501", "scoring_system": "epss", "scoring_elements": "0.97666", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.46501", "scoring_system": "epss", "scoring_elements": "0.97644", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.46501", "scoring_system": "epss", "scoring_elements": "0.97664", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.46501", "scoring_system": "epss", "scoring_elements": "0.97656", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.46501", "scoring_system": "epss", "scoring_elements": "0.97653", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.46501", "scoring_system": "epss", "scoring_elements": "0.97651", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.46501", "scoring_system": "epss", "scoring_elements": "0.97649", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.46501", "scoring_system": "epss", "scoring_elements": "0.97641", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.46501", "scoring_system": "epss", "scoring_elements": "0.97643", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-46175" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46175", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46175" }, { "reference_url": "https://github.com/json5/json5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/json5/json5" }, { "reference_url": "https://github.com/json5/json5/commit/62a65408408d40aeea14c7869ed327acead12972", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/json5/json5/commit/62a65408408d40aeea14c7869ed327acead12972" }, { "reference_url": "https://github.com/json5/json5/commit/7774c1097993bc3ce9f0ac4b722a32bf7d6871c8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/json5/json5/commit/7774c1097993bc3ce9f0ac4b722a32bf7d6871c8" }, { "reference_url": "https://github.com/json5/json5/issues/199", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/json5/json5/issues/199" }, { "reference_url": "https://github.com/json5/json5/issues/295", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/json5/json5/issues/295" }, { "reference_url": "https://github.com/json5/json5/pull/298", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/json5/json5/pull/298" }, { "reference_url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00021.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00021.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027145", "reference_id": "1027145", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027145" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263", "reference_id": "2156263", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263" }, { "reference_url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "reference_id": "GHSA-9c47-m6qq-7p4h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0634", "reference_id": "RHSA-2023:0634", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0634" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0934", "reference_id": "RHSA-2023:0934", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0934" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1428", "reference_id": "RHSA-2023:1428", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1428" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3742", "reference_id": "RHSA-2023:3742", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3742" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:4631", "reference_id": "RHSA-2024:4631", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:4631" }, { "reference_url": "https://usn.ubuntu.com/6758-1/", "reference_id": "USN-6758-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6758-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80423?format=api", "purl": "pkg:npm/json5@1.0.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/json5@1.0.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/80422?format=api", "purl": "pkg:npm/json5@2.2.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/json5@2.2.2" } ], "aliases": [ "CVE-2022-46175", "GHSA-9c47-m6qq-7p4h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y3ey-aab7-q3fk" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/json5@1.0.1" }