Login Sign Up

CVE-2022-25352

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2022-25352 is a prototype pollution vulnerability in the libnested JavaScript library that allows attackers to modify object prototypes, potentially leading to denial of service, remote code execution, or privilege escalation. This affects any application using vulnerable versions of libnested. The vulnerability stems from an incomplete fix for CVE-2020-28283.

💻 Affected Systems

Products:
  • libnested
Versions: All versions before 1.5.2
Operating Systems: All operating systems running Node.js applications
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using libnested's set() function with untrusted input is vulnerable.

📦 What is this software?

Libnested by Libnested Project

View all CVEs affecting Libnested →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service, application crashes, or limited privilege escalation within the application context.

🟢

If Mitigated

Minimal impact if proper input validation and sandboxing are implemented.

🌐 Internet-Facing: HIGH - Web applications using libnested are directly exposed to attack vectors.
🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires attacker-controlled input to the vulnerable set() function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.2

Vendor Advisory: https://github.com/dominictarr/libnested/commit/c1129865d75fbe52b5a4f755ad3110ca5420f2e1

Restart Required: Yes

Instructions:

1. Update package.json to require libnested version 1.5.2 or higher. 2. Run 'npm update libnested' or 'yarn upgrade libnested'. 3. Restart your application.

🔧 Temporary Workarounds

Input validation wrapper

all

Wrap libnested set() calls with strict input validation to reject prototype pollution attempts

// Example: Validate keys don't contain __proto__ or constructor
function safeSet(obj, path, value) {
  if (typeof path === 'string' && (path.includes('__proto__') || path.includes('constructor'))) {
    throw new Error('Invalid path');
  }
  return libnested.set(obj, path, value);
}

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to limit script execution
  • Deploy web application firewall (WAF) rules to detect and block prototype pollution attempts

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for libnested version <1.5.2, or run 'npm list libnested'

Check Version:

npm list libnested | grep libnested

Verify Fix Applied:

Confirm libnested version is 1.5.2 or higher with 'npm list libnested'

📡 Detection & Monitoring

Log Indicators:

  • Unusual application crashes
  • Unexpected property modifications in objects
  • Error logs containing '__proto__' or 'constructor' in paths

Network Indicators:

  • HTTP requests with suspicious object paths in payloads
  • Unusual API calls to set() endpoints

SIEM Query:

source="application.logs" AND ("__proto__" OR "constructor") AND "libnested"

📊 Metadata

CVE ID: CVE-2022-25352
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1321
Published: March 17, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25352, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)