2282247 – (CVE-2024-29651) CVE-2024-29651 json-schema-ref-parser: Prototype pollution issue

Bug 2282247 (CVE-2024-29651) - CVE-2024-29651 json-schema-ref-parser: Prototype pollution issue

Summary: CVE-2024-29651 json-schema-ref-parser: Prototype pollution issue

Keywords:
Status:	NEW
Alias:	CVE-2024-29651
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2282252
TreeView+	depends on / blocked

Reported:	2024-05-21 20:05 UTC by Pedro Sampaio
Modified:	2025-05-06 08:28 UTC (History)
CC List:	27 users (show)
Fixed In Version:	json-schema-ref-parser 11.2.0
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2024-05-21 20:05:33 UTC

A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v.11.0.0 and v.11.1.0 allows a remote attacker to execute arbitrary code via the bundle()`, `parse()`, `resolve()`, `dereference() functions.

References:
https://github.com/advisories/GHSA-5f97-h2c2-826q
https://gist.github.com/tariqhawis/5db76b38112bba756615b688c32409ad

Note You need to log in before you can comment on or make changes to this bug.

aprice
caswilli
cdaley
chazlett
cmiranda
dhanak
dsimansk
eric.wittmann
gtanzill
janstey
jchui
jsamir
kaycoth
kingland
ktsao
kverlaen
matzew
mnovotny
mpierce
nboldt
pantinor
pcongius
pierdipi
rguimara
rhuss
rtaniwa
tkral