CVE-2022-22912 – CVE-2022-22912 is a prototype pollution vulnera... (How to Fix)

📋 TL;DR

CVE-2022-22912 is a prototype pollution vulnerability in the Plist.js library's .parse() function that allows attackers to modify object prototypes. This can lead to denial of service or potentially remote code execution. Any application using vulnerable versions of Plist.js for parsing property list files is affected.

💻 Affected Systems

Products:

plist.js library
Applications using plist.js for property list parsing

Versions: All versions before 3.0.4

Operating Systems: All platforms where Node.js applications run

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is present when parsing untrusted property list files using the .parse() method

📦 What is this software?

Plist by Plist Project

View all CVEs affecting Plist →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise

🟠

Likely Case

Denial of service through application crashes or instability

🟢

If Mitigated

Limited impact with proper input validation and sandboxing

🌐 Internet-Facing: HIGH - Applications parsing untrusted plist files from external sources are highly vulnerable

🏢 Internal Only: MEDIUM - Internal applications may still process malicious files from compromised sources

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires feeding malicious plist content to the vulnerable .parse() function

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.4

Vendor Advisory: https://github.com/TooTallNate/plist.js/issues/114

Restart Required: Yes

Instructions:

1. Update plist.js dependency to version 3.0.4 or later
2. Run 'npm update plist' or 'yarn upgrade plist'
3. Restart affected applications
4. Test functionality with updated version

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict validation of plist file inputs before parsing

Sandbox parsing operations

all

Run plist parsing in isolated containers or sandboxed environments

🧯 If You Can't Patch

Implement strict network controls to prevent untrusted plist files from reaching vulnerable systems
Deploy web application firewalls with plist parsing protection rules

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/plist/package.json for version number

Check Version:

npm list plist | grep plist OR cat node_modules/plist/package.json | grep version

Verify Fix Applied:

Verify plist version is 3.0.4 or higher in package.json and test parsing functionality

📡 Detection & Monitoring

Log Indicators:

Application crashes during plist parsing
Unusual memory consumption spikes
Stack traces containing plist.js functions

Network Indicators:

Unexpected plist file uploads to web applications
Suspicious file transfers to parsing endpoints

SIEM Query:

source="application.log" AND ("plist" OR ".parse()") AND ("crash" OR "error" OR "exception")

📊 Metadata

CVE ID: CVE-2022-22912

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

Published: February 17, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/TooTallNate/plist.js/issues/114 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/TooTallNate/plist.js/issues/114 Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-22912, you might also want to check these: