CVE-2022-46175 Overview
CVE-2022-46175 is a Prototype Pollution vulnerability affecting the JSON5 library, a popular JSON file format extension designed to be easier to write and maintain by hand for configuration files. The parse method in vulnerable versions of the JSON5 library does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object.
Critical Impact
This vulnerability enables attackers to set arbitrary and unexpected keys on objects returned from JSON5.parse, potentially leading to denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution depending on how applications handle the parsed objects.
Affected Products
- JSON5 versions prior to and including 1.0.1 (Node.js)
- JSON5 versions prior to and including 2.2.1 (Node.js)
- Fedora 37
Discovery Timeline
- 2022-12-24 - CVE-2022-46175 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-46175
Vulnerability Analysis
This vulnerability represents a Prototype Pollution attack vector in the JSON5 parsing mechanism. Unlike traditional prototype pollution that targets the global Object.prototype, this vulnerability specifically pollutes the prototype of the object returned by JSON5.parse. While this distinction is important, polluting the prototype of a single object can still have significant security implications when that object is subsequently used in trusted operations throughout an application.
The attack exploits the fact that the JSON5 parser does not filter or sanitize special JavaScript property names like __proto__ when constructing objects from parsed input. When malicious input containing __proto__ keys is processed, the parser inadvertently allows modification of the resulting object's prototype chain.
Root Cause
The root cause lies in the JSON5.parse method's failure to implement proper key filtering during object construction. Unlike the native JSON.parse method included in JavaScript, which safely ignores __proto__ keys during parsing, the JSON5 implementation accepts and processes these special prototype keys, allowing them to be set on the resulting object's prototype.
This oversight in input validation means that any application accepting JSON5 input from untrusted sources could be vulnerable to prototype pollution attacks through specially crafted payloads.
Attack Vector
The vulnerability is exploitable over the network when applications use the JSON5 library to parse user-controlled input. An attacker can craft a malicious JSON5 string containing __proto__ keys that, when parsed, will pollute the prototype of the returned object. The actual impact depends heavily on how the application subsequently uses the parsed object.
Common exploitation scenarios include:
- Injecting properties that affect application logic when checking for object properties
- Bypassing security checks that rely on property existence
- Manipulating application flow through unexpected prototype properties
- In severe cases, achieving code execution when polluted properties are used in dangerous contexts like eval() or template engines
Detection Methods for CVE-2022-46175
Indicators of Compromise
- Unusual JSON5 input containing __proto__ keys in application logs or request data
- Unexpected object property behavior or application logic anomalies
- Evidence of object prototype manipulation in application memory or state
- Suspicious patterns in configuration files or data streams containing prototype pollution payloads
Detection Strategies
- Implement input validation to detect and block JSON5 payloads containing __proto__, constructor, or prototype keys
- Monitor application dependencies using software composition analysis (SCA) tools to identify vulnerable JSON5 versions
- Utilize runtime application self-protection (RASP) solutions to detect prototype pollution attempts
- Review package lock files (package-lock.json, yarn.lock) for vulnerable JSON5 versions
Monitoring Recommendations
- Enable detailed logging for JSON5 parsing operations in your application
- Set up alerts for anomalous object property access patterns that could indicate prototype pollution exploitation
- Monitor for unexpected changes in application behavior that could stem from polluted object prototypes
- Implement security information and event management (SIEM) rules to correlate potential prototype pollution activity
How to Mitigate CVE-2022-46175
Immediate Actions Required
- Upgrade JSON5 to version 1.0.2, 2.2.2, or later immediately
- Audit all applications and dependencies for vulnerable JSON5 versions using npm audit or similar tools
- Review application code for instances where JSON5.parse output is used in security-sensitive operations
- Consider temporarily switching to native JSON.parse if JSON5-specific features are not required
Patch Information
The vulnerability has been patched in json5 versions 1.0.2 and 2.2.2. The fix involves restricting the parsing of __proto__ keys when constructing objects from JSON5 strings. For detailed information about the security fix, refer to GitHub Pull Request #298 and the GitHub Security Advisory GHSA-9c47-m6qq-7p4h.
Workarounds
- Replace JSON5.parse with native JSON.parse where JSON5-specific syntax features are not required
- Implement a sanitization layer that removes or rejects objects containing __proto__ keys before processing
- Use Object.create(null) to create prototype-less objects when working with untrusted JSON5 input
- Apply object freezing techniques using Object.freeze() to prevent prototype modifications on parsed objects
# Update JSON5 to a patched version
npm update json5
# Or install a specific patched version
npm install json5@2.2.2
# Verify installed version
npm list json5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
