From a4e74bd6d7c6040f3a0c90612c41afc58caee198 Mon Sep 17 00:00:00 2001
From: Vendeta <VZVendeta@hotmail.com>
Date: Sat, 16 May 2026 15:38:12 +0300
Subject: [PATCH] Improve GHSA-j4fx-xxwh-2485

---
 .../GHSA-j4fx-xxwh-2485.json                  | 46 +++++++++++++------
 1 file changed, 33 insertions(+), 13 deletions(-)

diff --git a/advisories/unreviewed/2026/05/GHSA-j4fx-xxwh-2485/GHSA-j4fx-xxwh-2485.json b/advisories/unreviewed/2026/05/GHSA-j4fx-xxwh-2485/GHSA-j4fx-xxwh-2485.json
index f6f738e7b7540..67ab48d03b2ce 100644
--- a/advisories/unreviewed/2026/05/GHSA-j4fx-xxwh-2485/GHSA-j4fx-xxwh-2485.json
+++ b/advisories/unreviewed/2026/05/GHSA-j4fx-xxwh-2485/GHSA-j4fx-xxwh-2485.json
@@ -1,23 +1,43 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-j4fx-xxwh-2485",
-  "modified": "2026-05-16T06:30:29Z",
+  "modified": "2026-05-16T06:30:40Z",
   "published": "2026-05-16T06:30:29Z",
   "aliases": [
     "CVE-2026-8657"
   ],
-  "details": "Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch() APIs. An attacker can perform prototype pollution by supplying crafted delta or JSON Patch documents, as attacker-controlled property names and path segments are used to traverse and modify objects without restricting access to special properties like __proto__ or constructor.prototype, allowing modification of Object.prototype.",
+  "summary": "Prototype Pollution in jsondiffpatch via patch and jsonpatch.patch APIs",
+  "details": "### Summary\nVersions of the package `jsondiffpatch` before 0.7.6 are vulnerable to Prototype Pollution. The flaw exists within the core `jsondiffpatch.patch()` engine and the `jsondiffpatch/formatters/jsonpatch.patch()` application layers. Due to missing blocklists or property checking when resolving nested path segments, attacker-controlled keys can traverse up the prototype chain.\n\n### Impact\nAn attacker can exploit this vulnerability by supplying a maliciously crafted delta payload or JSON Patch document containing special keys such as `__proto__` or `constructor.prototype`. When processed by the application, these keys allow the mutation of properties on the global `Object.prototype`, potentially leading to remote code execution (RCE) or denial-of-service (DoS) depending on the runtime environment configuration.\n\n### Remediation\nUpgrade the `jsondiffpatch` package to version **0.7.6** or later, which implements strict checks against prototype-polluting keys during path traversal and patch applications.",
   "severity": [
     {
       "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L"
-    },
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
     {
-      "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "package": {
+        "ecosystem": "npm",
+        "name": "jsondiffpatch"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "= 0.7.6"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 0.7.6"
+      }
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -25,7 +45,7 @@
     },
     {
       "type": "WEB",
-      "url": "https://github.com/benjamine/jsondiffpatch/commit/381c0125efab49f6f0dbc08317d01d55717672af"
+      "url": "https://github.com/benjamine/jsondiffpatch/commit/381c0121734560759082260656aef60cf38031d2"
     },
     {
       "type": "WEB",
@@ -33,19 +53,19 @@
     },
     {
       "type": "WEB",
-      "url": "https://github.com/benjamine/jsondiffpatch/blob/96112c35a98f9201dd75d67fcee68a952c79e2fe/packages/jsondiffpatch/src/filters/nested.ts%23L107-L115"
+      "url": "https://github.com/benjamine/jsondiffpatch/blob/96112c35a98f9201dd75d67fcee68a952c79e2fe/packages/jsondiffpatch/src/filters/nested.ts#L107-L115"
     },
     {
       "type": "WEB",
-      "url": "https://github.com/benjamine/jsondiffpatch/blob/96112c35a98f9201dd75d67fcee68a952c79e2fe/packages/jsondiffpatch/src/filters/nested.ts%23L82-L87"
+      "url": "https://github.com/benjamine/jsondiffpatch/blob/96112c35a98f9201dd75d67fcee68a952c79e2fe/packages/jsondiffpatch/src/filters/nested.ts#L82-L87"
     },
     {
       "type": "WEB",
-      "url": "https://github.com/benjamine/jsondiffpatch/blob/96112c35a98f9201dd75d67fcee68a952c79e2fe/packages/jsondiffpatch/src/formatters/jsonpatch-apply.ts%23L146-L168"
+      "url": "https://github.com/benjamine/jsondiffpatch/blob/96112c35a98f9201dd75d67fcee68a952c79e2fe/packages/jsondiffpatch/src/formatters/jsonpatch-apply.ts#L146-L168"
     },
     {
       "type": "WEB",
-      "url": "https://github.com/benjamine/jsondiffpatch/blob/96112c35a98f9201dd75d67fcee68a952c79e2fe/packages/jsondiffpatch/src/formatters/jsonpatch-apply.ts%23L171-L199"
+      "url": "https://github.com/benjamine/jsondiffpatch/blob/96112c35a98f9201dd75d67fcee68a952c79e2fe/packages/jsondiffpatch/src/formatters/jsonpatch-apply.ts#L171-L199"
     },
     {
       "type": "WEB",
@@ -56,7 +76,7 @@
     "cwe_ids": [
       "CWE-1321"
     ],
-    "severity": "HIGH",
+    "severity": "CRITICAL",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-05-16T06:16:18Z"