Prototype Pollution in JSON5 via Parse Method

[vedxp]

Describe the bug

The parse method of the JSON5 library before and including version 2.2.1 does not restrict parsing of keys named proto, allowing specially crafted strings to pollute the prototype of the resulting object.

This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations.

Checkout the complete alert

Expected behaviour

No response

Screenshots / Live demo link

No response

Additional context

No response