CVE-2022-46175 in JSON5info

Summary

by MITRE • 12/24/2022

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including version `2.2.1` does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 version 2.2.2 and later.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 12/03/2025

The CVE-2022-46175 vulnerability affects the JSON5 library, a popular extension to the standard JSON format designed to improve human readability and maintainability of configuration files. This vulnerability specifically targets the parse method of JSON5 library versions 2.2.1 and earlier, where the implementation fails to properly restrict parsing of keys named _proto_. While the vulnerability does not directly pollute the global Object prototype as commonly understood in prototype pollution attacks, it allows attackers to inject malicious properties into the prototype of individual objects returned by JSON5.parse. The vulnerability stems from the library's failure to implement the same security restrictions that the native JavaScript JSON.parse method enforces, which automatically ignores _proto_ keys during parsing. This discrepancy creates a security gap that can be exploited by malicious actors who craft specially formatted JSON5 strings containing _proto_ keys.

The technical flaw in JSON5.parse stems from inadequate input validation and sanitization of object keys during the parsing process. When JSON5.parse encounters a _proto_ key in a parsed string, it should reject or ignore this key similar to how the native JSON.parse method handles it. However, prior to version 2.2.2, JSON5 allowed these keys to be processed and added to the resulting object's prototype chain, enabling attackers to manipulate object behavior through prototype pollution. This type of vulnerability is classified under CWE-471 as "Modification of Externally-Controllable Variables" and aligns with ATT&CK technique T1059.007 for "Command and Scripting Interpreter: JavaScript" in the context of prototype pollution exploitation. The vulnerability is particularly concerning because it operates at the parsing layer, meaning it can affect any application that uses JSON5.parse to process untrusted input from external sources such as user submissions, API responses, or configuration files.

The operational impact of CVE-2022-46175 extends beyond simple data manipulation and can lead to severe security consequences depending on how applications process the parsed objects. When an application uses objects returned by JSON5.parse in subsequent operations without proper sanitization, attackers can leverage prototype pollution to achieve various malicious outcomes. These include denial of service attacks through property manipulation, cross-site scripting vulnerabilities when polluted objects are used in template rendering or dynamic code execution contexts, and potential privilege escalation if the polluted prototype affects access control mechanisms. In extreme cases, when applications employ techniques that rely on object properties or inheritance chains, prototype pollution can enable remote code execution by manipulating object behavior. The vulnerability is particularly dangerous in server-side applications where user input is processed through JSON5.parse, as it can be exploited to compromise entire application logic or data integrity. The impact varies significantly based on application architecture, but the potential for escalation makes this vulnerability critical for all applications using affected JSON5 versions.

Mitigation strategies for CVE-2022-46175 involve both immediate remediation and architectural considerations. The primary and most effective solution is upgrading to JSON5 version 2.2.2 or later, where the vulnerability has been patched and proper _proto_ key handling has been implemented. Organizations should conduct thorough dependency audits to identify all applications using vulnerable versions and prioritize updates accordingly. Alternative immediate mitigations include implementing input sanitization layers that filter out _proto_ keys before processing, switching from JSON5.parse to the native JSON.parse method when possible, or employing custom parsing functions that explicitly reject prototype pollution attempts. Security teams should also consider implementing runtime monitoring to detect unusual object property manipulations that might indicate prototype pollution exploitation attempts. From a defensive standpoint, the vulnerability highlights the importance of consistent security practices across different libraries and frameworks, as the discrepancy between JSON5 and JSON.parse behavior demonstrates the need for comprehensive security testing of parsing functions and proper adherence to established security standards. The fix implemented in version 2.2.2 aligns with industry best practices for secure parsing and follows the principle of least privilege in object property handling, ensuring that prototype pollution cannot occur through normal parsing operations.

Responsible

GitHub, Inc.

Reservation

11/28/2022

Disclosure

12/24/2022

Moderation

accepted

CPE

ready

EPSS

0.09304

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!