CVE-2026-15195 in json-schema-ref-parser
Summary
by MITRE • 07/09/2026
A weakness has been identified in apidevtools json-schema-ref-parser up to 15.3.5. This impacts the function Refs.set/Pointer.set in the library lib/pointer.ts. Executing a manipulation can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. Upgrading to version 15.3.6 will fix this issue. This patch is called a786bc6afc3674f650496472ee93d5cf74c4bd84. It is suggested to upgrade the affected component.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/09/2026
This vulnerability affects the json-schema-ref-parser library, specifically targeting the Refs.set and Pointer.set functions within the lib/pointer.ts file. The flaw represents a prototype pollution vulnerability that allows attackers to manipulate object prototype attributes through carefully crafted input manipulation. Such vulnerabilities fall under the CWE-471 category of "Modification of Assumed-Immutable Data" and are particularly dangerous because they can lead to arbitrary code execution or privilege escalation when exploited in web applications. The vulnerability exists in versions up to 15.3.5 and is remotely exploitable, making it a significant concern for applications that process untrusted JSON data.
The technical implementation of this flaw occurs when the library processes JSON schema references and pointers, allowing malicious input to modify prototype properties of objects. When an attacker supplies malformed or specially crafted JSON input, the Refs.set and Pointer.set functions can inadvertently alter the Object.prototype properties, which can then be leveraged by attackers to manipulate the behavior of all objects in the application's memory space. This type of vulnerability is particularly dangerous because prototype pollution can enable attackers to bypass security controls, cause denial of service conditions, or even execute arbitrary code depending on how the affected application handles JSON data processing.
The operational impact of this vulnerability extends beyond simple data corruption, as it can fundamentally alter the runtime behavior of applications that depend on json-schema-ref-parser for schema validation and reference resolution. Applications using this library in web servers, API gateways, or any system processing external JSON inputs become vulnerable to remote exploitation. The attack surface is broad since many systems rely on JSON schema validation for input sanitization and data structure enforcement, making this vulnerability particularly dangerous in environments where untrusted data flows through the application.
The fix implemented in version 15.3.6 addresses this issue through a specific patch commit a786bc6afc3674f650496472ee93d5cf74c4bd84 which properly validates and sanitizes input before allowing modifications to object prototype attributes. This patch follows established security practices for preventing prototype pollution attacks by ensuring that property names used in reference resolution do not conflict with reserved prototype properties. System administrators and developers should immediately upgrade to version 15.3.6 or later to mitigate this vulnerability, as the attack can be launched remotely without requiring any special privileges or user interaction. Organizations should also conduct security audits of their applications to identify potential indirect impacts from this vulnerability, particularly in systems where JSON schema validation is used as part of input processing pipelines.
The vulnerability demonstrates how seemingly innocuous library functions can become attack vectors when proper input validation and sanitization are not implemented. From an ATT&CK perspective, this represents a technique that could be categorized under T1590 - "Indicator Removal from Tools" or more specifically T1068 - "Exploitation for Privilege Escalation" depending on the application context. The mitigation strategy should include not only upgrading the library but also implementing proper input validation at higher levels of the application stack, as recommended by OWASP Top 10 security guidelines for preventing prototype pollution attacks in modern web applications.