Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.8
CVE-2026-8657: jsondiffpatch versions before 0.7.6 allow malicious data injection
CVE-2026-8657
Summary
Versions of the jsondiffpatch package before 0.7.6 are vulnerable to a security threat that allows an attacker to inject malicious data into your system. This is particularly concerning if your application relies on user input or data from untrusted sources. To fix this issue, update to version 0.7.6 or later.
Original title
Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch() APIs. An attacker can perform p...
Original description
Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch() APIs. An attacker can perform prototype pollution by supplying crafted delta or JSON Patch documents, as attacker-controlled property names and path segments are used to traverse and modify objects without restricting access to special properties like __proto__ or constructor.prototype, allowing modification of Object.prototype.
nvd CVSS3.1
8.2
nvd CVSS4.0
7.8
Vulnerability type
CWE-1321
Prototype Pollution
- https://gist.github.com/yuki-matsuhashi/e570fb1579ae1f3190059b622b0473fb
- https://github.com/benjamine/jsondiffpatch/blob/96112c35a98f9201dd75d67fcee68a95...
- https://github.com/benjamine/jsondiffpatch/blob/96112c35a98f9201dd75d67fcee68a95...
- https://github.com/benjamine/jsondiffpatch/blob/96112c35a98f9201dd75d67fcee68a95...
- https://github.com/benjamine/jsondiffpatch/blob/96112c35a98f9201dd75d67fcee68a95...
- https://github.com/benjamine/jsondiffpatch/commit/381c0125efab49f6f0dbc08317d01d...
- https://security.snyk.io/vuln/SNYK-JS-JSONDIFFPATCH-16322990
Published: 16 May 2026 · Updated: 28 May 2026 · First seen: 16 May 2026