CVE-2026-15195
Received Received - Intake

Prototype Pollution in json-schema-ref-parser

Vulnerability report for CVE-2026-15195, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: VulDB

Description

A weakness has been identified in apidevtools json-schema-ref-parser up to 15.3.5. This impacts the function Refs.set/Pointer.set in the library lib/pointer.ts. Executing a manipulation can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. Upgrading to version 15.3.6 will fix this issue. This patch is called a786bc6afc3674f650496472ee93d5cf74c4bd84. It is suggested to upgrade the affected component.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
apidevtools json-schema-ref-parser to 15.3.6 (exc)
apidevtools json-schema-ref-parser to 15.3.5 (inc)
apidevtools json-schema-ref-parser 15.3.6

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in apidevtools json-schema-ref-parser allows prototype pollution through unsafe JSON Pointer tokens, which can lead to logic corruption, denial of service, or unsafe property resolution.

Such security weaknesses can potentially impact compliance with standards and regulations like GDPR or HIPAA, as they may expose applications to unauthorized data manipulation or denial of service, thereby risking data integrity and availability.

However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these or other common standards and regulations.

Executive Summary

CVE-2026-15195 is a prototype pollution vulnerability in the apidevtools json-schema-ref-parser library up to version 15.3.5. It affects the functions Refs.set and Pointer.set, which handle JSON Pointer strings without properly sanitizing dangerous tokens such as "__proto__", "constructor", or "prototype".

This flaw allows an attacker to manipulate the Object prototype by passing crafted JSON Pointer paths, leading to potential logic corruption, denial of service, unsafe property resolution, or further exploitation depending on how the application uses the library.

The vulnerability arises because the library forwards JSON Pointer strings to internal pointer write operations that do not block these unsafe tokens, enabling prototype pollution.

The issue was fixed in version 15.3.6 by blocking unsafe pointer set tokens and adding validation to reject dangerous JSON Pointer paths.

Impact Analysis

This vulnerability can impact you by allowing remote attackers to manipulate the prototype of JavaScript objects used by applications relying on the json-schema-ref-parser library.

Such prototype pollution can lead to logic corruption within the application, denial of service conditions, unsafe property resolution, or enable further malicious exploits depending on the context.

Because the library is widely used for resolving complex JSON Schema references, including external files and URLs, this vulnerability can affect many applications that depend on it for JSON Schema processing.

Users are advised to upgrade to version 15.3.6 or later to mitigate these risks.

Detection Guidance

This vulnerability involves prototype pollution via unsafe JSON Pointer tokens in the apidevtools json-schema-ref-parser library, specifically in the $Refs.set() and Pointer.set() functions. Detection involves identifying usage of vulnerable versions (up to 15.3.5) of this library in your environment.

You can detect the presence of the vulnerable library version by checking your project's dependencies. For example, in a Node.js environment, run the following command to find the installed version:

  • npm ls json-schema-ref-parser

If the version is 15.3.5 or earlier, your system is vulnerable.

Additionally, monitoring logs or application behavior for unexpected prototype modifications or errors related to JSON Pointer usage might help detect exploitation attempts, but no specific detection commands are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade the apidevtools json-schema-ref-parser library to version 15.3.6 or later, where the vulnerability has been fixed.

The fix blocks unsafe pointer set tokens such as "__proto__", "constructor", and "prototype" to prevent prototype pollution.

If upgrading immediately is not possible, consider implementing input validation to reject or sanitize JSON Pointer strings containing dangerous tokens before they reach the vulnerable functions.

Review your code to avoid using the vulnerable $Refs.set() and Pointer.set() APIs with untrusted input.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15195. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart