Описание
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1.
A flaw was found in seroval. Due to improper input validation during JSON deserialization, a remote attacker could provide a malicious object key. This could lead to prototype pollution, potentially allowing the attacker to alter the behavior of the application or disclose sensitive information. This vulnerability specifically affects the JSON deserialization functionality.
Отчет
This vulnerability is rated Important for Red Hat as it affects the seroval library, which is utilized in forgejo within Fedora and EPEL. The flaw allows for prototype pollution during JSON deserialization due to improper input validation in versions 1.4.0 and below. Exploitation requires processing of malicious JSON input.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Дополнительная информация
Статус:
7.3 High
CVSS3
Связанные уязвимости
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1.
seroval Affected by Prototype Pollution via JSON Deserialization
7.3 High
CVSS3