CVE-2022-41714 - Insecure JSON Parsing in fastest-json-copy 1..1 Lets Attackers Edit Object Prototypes

When working with JavaScript and Node.js, safely handling objects is critical — especially when dealing with external data. In 2022, a vulnerability (CVE-2022-41714) was reported in a package named fastest-json-copy, version 1..1. This vulnerability allows attackers to tamper with JavaScript objects in dangerous ways. Let’s break down what went wrong, how it works, and what you should do.

What is fastest-json-copy?

fastest-json-copy is a small npm package designed to clone JSON-compatible values as quickly as possible. Many developers use it for its speed and convenience.

An attacker can send a JSON object with a __proto__ property.

- This property, when parsed and assigned, pollutes the Object prototype, affecting all objects on the system.

Simple Explanation

Basically, JavaScript objects inherit properties from their prototype. If someone can change the prototype, they can insert new properties or even override existing ones globally. This is bad — it can break your app or open security holes.

Proof of Concept (Exploit Example)

Let’s see a code snippet using fastest-json-copy 1..1 and how this vulnerability can be exploited.

const copy = require('fastest-json-copy');

// Untrusted user data
const malicious = JSON.parse('{"__proto__":{"isAdmin":true}}');

// The application copies the JSON
const safeCopy = copy(malicious);

// Now check a plain object
const user = {};

console.log(user.isAdmin); // --> true (wasn't there before!)

*What happened?*
Because there's no check on incoming keys, the isAdmin property gets added to ALL objects via the prototype. Any code that checks for user.isAdmin will now see true, even when it shouldn’t exist.

Crash or disrupt services.

To test this, try iterating over any new object after running the above exploit. The polluted property will show up everywhere.

The vulnerable code looked like this (simplified)

function copy(obj) {
    return JSON.parse(JSON.stringify(obj));
}

Or, it might have used a shallow clone

function copy(obj) {
    const result = {};
    for (let key in obj) {
        result[key] = obj[key]; // No key validation!
    }
    return result;
}

Both versions will happily copy __proto__ and other problematic keys, leading to prototype pollution.

How To Fix

It’s best to avoid using libraries that don’t sanitize or validate JSON keys. Always filter out dangerous keys like __proto__, constructor, and prototype.

A safe fix looks like

function safeCopy(obj) {
    const result = {};
    for (let key in obj) {
        if (key === '__proto__' || key === 'constructor' || key === 'prototype') continue;
        result[key] = obj[key];
    }
    return result;
}

Note: Consider using libraries like lodash with built-in security fixes, or read more about defense strategies in OWASP’s guide on Prototype Pollution.

References

- CVE-2022-41714 at NVD
- GitHub Issue (if available)
- Prototype Pollution on OWASP
- npm advisory for fastest-json-copy

Summary

CVE-2022-41714 in fastest-json-copy 1..1 is a textbook example of prototype pollution. By not validating JSON keys, attackers can modify the global state of all JavaScript objects. Protect your applications by filtering out suspicious keys and updating to secure libraries.

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/05/2022 00:31:00 UTC