Vulnerability Description
Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch() APIs. An attacker can perform prototype pollution by supplying crafted delta or JSON Patch documents, as attacker-controlled property names and path segments are used to traverse and modify objects without restricting access to special properties like __proto__ or constructor.prototype, allowing modification of Object.prototype.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://gist.github.com/yuki-matsuhashi/e570fb1579ae1f3190059b622b0473fb
- https://github.com/benjamine/jsondiffpatch/blob/96112c35a98f9201dd75d67fcee68a95
- https://github.com/benjamine/jsondiffpatch/blob/96112c35a98f9201dd75d67fcee68a95
- https://github.com/benjamine/jsondiffpatch/blob/96112c35a98f9201dd75d67fcee68a95
- https://github.com/benjamine/jsondiffpatch/blob/96112c35a98f9201dd75d67fcee68a95
- https://github.com/benjamine/jsondiffpatch/commit/381c0125efab49f6f0dbc08317d01d
- https://security.snyk.io/vuln/SNYK-JS-JSONDIFFPATCH-16322990
- https://gist.github.com/yuki-matsuhashi/e570fb1579ae1f3190059b622b0473fb
FAQ
What is CVE-2026-8657?
CVE-2026-8657 is a vulnerability with a CVSS score of 8.2 (HIGH). Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch() APIs. An attacker can perform prot...
How severe is CVE-2026-8657?
CVE-2026-8657 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-8657?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.