CVE-2026-16008 in json-schema-library
Summary
by MITRE • 07/17/2026
A security vulnerability has been detected in sagold json-schema-library 11.5.0/11.5.1. This impacts the function parsePropertyDependencies of the file src/keywords/propertyDependencies.ts. The manipulation leads to improperly controlled modification of object prototype attributes. The attack can be initiated remotely. Upgrading to version 11.6.0 will fix this issue. The identifier of the patch is 432287ee6f68a02ce6f015354618486ec427a32d. It is advisable to upgrade the affected component.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/17/2026
This vulnerability resides within the sagold json-schema-library version 11.5.0 and 11.5.1, specifically in the parsePropertyDependencies function located in src/keywords/propertyDependencies.ts. The flaw represents a critical prototype pollution vulnerability that allows attackers to manipulate object prototype attributes through improper input validation. The vulnerability manifests when the library processes JSON schema property dependencies without adequate sanitization of user-provided data, enabling malicious actors to inject properties into the Object.prototype chain.
The technical implementation of this vulnerability follows CWE-471, which describes the improper handling of dynamically-controlled or externally-influenced modification of object prototype attributes. When an attacker crafts malicious input that gets processed by the parsePropertyDependencies function, they can manipulate the prototype of objects used within the library's internal processing logic. This occurs because the function does not properly validate or sanitize property names that are used to set attributes on objects, allowing arbitrary properties to be added to the prototype chain.
The remote exploitation capability of this vulnerability makes it particularly dangerous in web applications and services that utilize this library for JSON schema validation. Attackers can leverage this flaw to execute various malicious actions including but not limited to privilege escalation, denial of service attacks, or code execution depending on how the vulnerable application processes the parsed JSON data. The impact extends beyond simple data corruption as prototype pollution can lead to complete system compromise when combined with other vulnerabilities in the application stack.
The security patch identified by commit hash 432287ee6f68a02ce6f015354618486ec427a32d addresses this issue by implementing proper input validation and sanitization measures within the parsePropertyDependencies function. The fix ensures that property names used in prototype manipulation are properly validated against a whitelist of allowed characters or sanitized to prevent injection of malicious prototype attributes. Organizations should immediately upgrade to version 11.6.0 to remediate this vulnerability, as no effective workarounds exist for this specific prototype pollution flaw.
From an operational security perspective, this vulnerability aligns with ATT&CK technique T1548.005 which covers "Hijack Execution Flow: Dynamic Linking" and also relates to T1068 which addresses "Exploitation for Privilege Escalation." The remediation process should include comprehensive testing of applications that utilize this library to ensure the upgrade does not introduce regressions in functionality. Security teams should monitor for any attempts to exploit this vulnerability through network traffic analysis and application logs, particularly looking for unusual patterns in JSON schema processing or unexpected behavior in object property handling within affected applications.
The broader implications of this vulnerability highlight the importance of proper input validation in all components that process external data, especially those handling configuration files or schema definitions. This issue demonstrates how seemingly innocuous library functions can become attack vectors when they fail to properly validate inputs against prototype manipulation attacks. Organizations should conduct thorough vulnerability assessments of their dependency trees to identify other potential instances of similar vulnerabilities and implement automated dependency scanning processes to prevent such issues from reaching production environments.