json-schema-editor-visual Prototype Pollution Vulnerability Allowing Object.prototype Manipulation
Vulnerability
A prototype pollution vulnerability has been identified in the json-schema-editor-visual package, specifically in versions through 1.1.1. The issue arises in the setData and deleteData functions, where improper validation of property paths allows attackers to inject or delete properties on Object.prototype. This manipulation can lead to denial-of-service conditions, as the minimum consequence.
Impact
Exploitation of this vulnerability allows for prototype pollution, where an attacker can modify the Object.prototype, potentially leading to denial-of-service conditions or runtime instability.
Reproduction
To reproduce this vulnerability, use json-schema-editor-visual version 1.1.1 or earlier. The vulnerability can be triggered by supplying a crafted payload that exploits the setData or deleteData functions, targeting nested property references such as 'proto' or 'toString' to manipulate Object.prototype.
Remediation
Users are advised to update to version 2.0.0 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.