CVE-2026-8657 | THREATINT

Description

Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch() APIs. An attacker can perform prototype pollution by supplying crafted delta or JSON Patch documents, as attacker-controlled property names and path segments are used to traverse and modify objects without restricting access to special properties like __proto__ or constructor.prototype, allowing modification of Object.prototype.

PUBLISHED Reserved 2026-05-15 | Published 2026-05-16 | Updated 2026-05-16 | Assigner snyk

HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P

HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L/E:P

Problem types

Prototype Pollution

Credits

Yuki Matsuhashi

References

security.snyk.io/vuln/SNYK-JS-JSONDIFFPATCH-16322990

gist.github.com/...tsuhashi/e570fb1579ae1f3190059b622b0473fb

github.com/...es/jsondiffpatch/src/filters/nested.ts#L82-L87

github.com/.../jsondiffpatch/src/filters/nested.ts#L107-L115

github.com/...ch/src/formatters/jsonpatch-apply.ts#L146-L168

github.com/...ch/src/formatters/jsonpatch-apply.ts#L171-L199

github.com/...ommit/381c0125efab49f6f0dbc08317d01d55717672af

cve.org (CVE-2026-8657)

nvd.nist.gov (CVE-2026-8657)

Download JSON