CVE-2022-46175: 
JavaScript vulnerability analysis and mitigation

The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 contains a vulnerability that does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability was discovered and disclosed in December 2022, affecting all versions of JSON5 from 2.0.0 to 2.2.1 and versions prior to 1.0.2 (GitHub Advisory).

The vulnerability allows an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse by manipulating the __proto__ key. Unlike traditional prototype pollution that affects the global Object prototype, this vulnerability specifically pollutes the prototype of the object returned by JSON5.parse. The vulnerability has been assigned CVE-2022-46175 with a CVSS v3.1 base score of 7.1 (High), characterized by Network attack vector, High attack complexity, Low privileges required, and No user interaction needed (GitHub Advisory).

The vulnerability could lead to multiple security implications depending on how applications utilize the returned object and filter unwanted keys. Potential impacts include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. The vulnerability is particularly dangerous when the parsed object is later used in trusted operations, as it could bypass security checks by setting properties on the object's prototype (GitHub Advisory).

The vulnerability has been patched in JSON5 version 2.2.2 and later, with a backported fix also available in version 1.0.2 for the v1 branch. Users are strongly advised to upgrade to these patched versions to mitigate the security risk (GitHub Advisory, GitHub PR).

The vulnerability received attention from the open-source community, with multiple projects and packages quickly moving to patch their dependencies. The fix was backported to version 1 due to its widespread usage, as indicated by npm download statistics. Various Linux distributions, including Fedora and Debian, issued security advisories and patches for affected packages (Debian LTS, Fedora Update).