CVE-2019-19507

Published
View on NVD ↗
CVSS v3
5.3
MEDIUM
CVSS v2
5
MEDIUM
Affected
2
PROJECTS

Description

In jpv (aka Json Pattern Validator) before 2.1.1, compareCommon() can be bypassed because certain internal attributes can be overwritten via a conflicting name, as demonstrated by 'constructor': {'name':'Array'}. This affects validate(). Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

jpv
jpv
Flexible and powerful JSON pattern validation library with support for complex, nested structures, array validation, and a wide range of validation patterns. Includes logical operators and strict/nullable types.
NPMNPM
mankhn/jpv
mankhn/jpv
Json Pattern Validator
GitHubGitHub
10