GHSA-5C5F-7VFQ-3732 JMESPath for Ruby uses unsafe JSON.load when safe JSON.parse is preferable

jmespath.rb aka JMESPath for Ruby before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable...

JMESPath for Ruby using JSON.load instead of JSON.parse

jmespath.rb aka JMESPath for Ruby before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable...

CVE-2022-32511

jmespath.rb aka JMESPath for Ruby before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable...

CVE-2022-32511

jmespath.rb aka JMESPath for Ruby before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable...

Design/Logic Flaw

jmespath.rb aka JMESPath for Ruby before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable...

CVE-2022-32511

CVE-2022-32511 affects the Ruby gem jmespath.rb (JMESPath for Ruby)

CVE-2022-32511

jmespath.rb aka JMESPath for Ruby before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable...

GHSA-7QM6-9V49-38M9 Prototype Pollution in record-like-deep-assign

All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality. PoC js const deepAssign = require'record-like-deep-assign'; let obj = ; console.log"Before being polluted: " + obj.polluted; EVILJSON = JSON.parse'"proto":"polluted":true'; deepAssign...

GHSA-5PXJ-MHWJ-X5GV Prototype Pollution in asciitable.js

The package asciitable.js before 1.0.3 is vulnerable to Prototype Pollution via the main function. PoC js var a = require"asciitable.js"; var b = JSON.parse'"proto":"test":123'; a,b; console.log.test...

Prototype Pollution in asciitable.js

The package asciitable.js before 1.0.3 is vulnerable to Prototype Pollution via the main function. PoC js var a = require"asciitable.js"; var b = JSON.parse'"proto":"test":123'; a,b; console.log.test...

Prototype Pollution in babak-gholamzadeh/deeply-object-assign

Description deeply-object-assign is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var deeplyObjectAssign = require"deeply-object-assign" const payload = JSON.parse'"proto":"polluted":"Yes! Its Polluted"'; var obj = console.log"Before : " +...

Prototype Pollution

merge is vulnerable to prototype pollution. A bypass of the fix for CVE-2018-16469 exists and allows arbitrary properties of the Object prototype to be added or modified via JSON.parse...

HTML Injection in preact

Versions of preact 10.x on prerelease tags alpha and beta prior to 10.0.0-beta.1 are vulnerable to HTML Injection. Due to insufficient input validation the package allows attackers to inject JavaScript objects as virtual-dom nodes, which may lead to Cross-Site Scripting. This requires user input...

CVE-2020-24345

JerryScript through 2.3.0 allows stack consumption via function anew new Proxya,JSON.parse"",a. NOTE: the vendor states that the problem is the lack of the --stack-limit option...

CVE-2020-24345

JerryScript through 2.3.0 allows stack consumption via function anew new Proxya,JSON.parse"",a. NOTE: the vendor states that the problem is the lack of the --stack-limit option...

CVE-2020-24345

JerryScript through 2.3.0 allows stack consumption via function anew new Proxya,JSON.parse"",a. NOTE: the vendor states that the problem is the lack of the --stack-limit option...

HTML Injection

Overview Versions of preact 10.x on prerelease tags alpha and beta prior to 10.0.0-beta.1 are vulnerable to HTML Injection. Due to insufficient input validation the package allows attackers to inject JavaScript objects as virtual-dom nodes, which may lead to Cross-Site Scripting. This requires us...

Remote Code Execution (RCE)

ruby is vulnerable to remote code execution RCE attacks. The vulnerability exists due to a heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of servi...

Prototype Pollution

defaults-deep is vulnerable to prototype pollution. Properties of the Object prototype can be added or modified via JSON.parse, causing a denial of service condition or possibly remote code execution depending on the application...

Regular Expression Denial of Service in parsejson

Affected versions of parsejson are vulnerable to a regular expression denial of service when parsing untrusted user input. Recommendation The parsejson package has not been functionally updated since it was initially released. Additionally, it provides functionality which is natively included in...