It was discovered that the JSON5 parse method incorrectly handled the parsing of keys named \\_proto\\_. An attacker could possibly use this issue to pollute the prototype of the returned object, setting arbitrary or unexpected keys, and cause a denial of service, allow unintended access to network services or have other unspecified impact, depending on the application's use of the module.
Continue reading...
Continue reading...
