Login Sign Up

CVE-2022-1295

9.8 CRITICAL

📋 TL;DR

CVE-2022-1295 is a prototype pollution vulnerability in fullpage.js that allows attackers to modify JavaScript object prototypes, potentially leading to remote code execution or denial of service. This affects websites using fullpage.js versions before 4.0.2. Attackers can exploit this by injecting malicious payloads through user-controlled inputs.

💻 Affected Systems

Products:
  • fullpage.js
Versions: All versions prior to 4.0.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any website or application embedding fullpage.js before version 4.0.2 is vulnerable.

📦 What is this software?

Fullpage by Fullpage Project

View all CVEs affecting Fullpage →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or website defacement.

🟠

Likely Case

Denial of service, website manipulation, or client-side attacks affecting user sessions.

🟢

If Mitigated

Limited impact with proper input validation and Content Security Policy (CSP) in place.

🌐 Internet-Facing: HIGH - Websites using vulnerable fullpage.js are directly accessible and exploitable.
🏢 Internal Only: MEDIUM - Internal applications using vulnerable versions could be exploited via phishing or internal threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction or malicious input injection but is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.2

Vendor Advisory: https://github.com/alvarotrigo/fullpage.js/commit/bf62492a22e5d296e63c3ed918a42fc5645a0d48

Restart Required: No

Instructions:

1. Update fullpage.js to version 4.0.2 or later. 2. Replace the fullpage.js file in your project with the patched version. 3. Test your application for compatibility.

🔧 Temporary Workarounds

Input Sanitization

all

Implement strict input validation and sanitization for user-controlled data passed to fullpage.js.

Content Security Policy (CSP)

all

Enforce a strict CSP to mitigate potential code execution.

🧯 If You Can't Patch

  • Disable or remove fullpage.js if not essential.
  • Implement network segmentation and web application firewalls (WAF) to block malicious payloads.

🔍 How to Verify

Check if Vulnerable:

Check the fullpage.js version in your HTML source or package.json; versions <4.0.2 are vulnerable.

Check Version:

grep -r 'fullpage.js' your_project_directory | grep -o 'v[0-9.]\+'

Verify Fix Applied:

Confirm fullpage.js version is 4.0.2 or later and test for prototype pollution using security tools.

📡 Detection & Monitoring

Log Indicators:

  • Unusual JavaScript errors, unexpected object modifications, or payloads in user inputs.

Network Indicators:

  • HTTP requests with malicious strings targeting fullpage.js endpoints.

SIEM Query:

source="web_logs" AND (fullpage.js OR prototype) AND (error OR malicious)

📊 Metadata

CVE ID: CVE-2022-1295
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
Published: April 11, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1295, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)