CVE-2020-7766
Arbitrary Code Execution in json-ptr
7.3
HIGH
CVSS 3.1
EPSS 1.1%
Description
npm `json-ptr` before 2.1.0 has an arbitrary code execution vulnerability. The issue occurs in the [set operation](https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution.
How to fix CVE-2020-7766
To remediate CVE-2020-7766, upgrade the affected package to a fixed version below.
- —upgrade to 2.1.0 or later
Is CVE-2020-7766 being exploited?
Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.1.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |