Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Vulnerability in fast-json-patch Dependency via ajv-cli #2089

Open
anderslorentzon opened this issue Dec 14, 2024 · 0 comments
Open
Labels

Comments

@anderslorentzon
Copy link

anderslorentzon commented Dec 14, 2024

Describe the bug

I have identified a security vulnerability in the OSCAL project's dependency chain. The package ajv-cli relies on an outdated version of fast-json-patch, which contains a Prototype Pollution vulnerability. This issue has been documented as:

Vulnerability ID: GHSA-8gh8-hqwg-xf34

Affected Versions: fast-json-patch versions < 3.1.1

The vulnerability allows for Prototype Pollution.

Who is the bug affecting

What is affected by this bug

CI/CD

How do we replicate this issue

npm audit

Expected behavior (i.e. solution)

fast-json-patch <3.1.1
Severity: high (unknown)
Starcounter-Jack JSON-Patch Prototype Pollution vulnerability - GHSA-8gh8-hqwg-xf34
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/fast-json-patch
ajv-cli >=0.7.0
Depends on vulnerable versions of fast-json-patch
node_modules/ajv-cli

Other comments

No response

Revisions

No response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: Needs Triage
Development

No branches or pull requests

1 participant