CVE-2026-16008
Deferred Deferred - Pending Action

Prototype Pollution in json-schema-library

Vulnerability report for CVE-2026-16008, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulDB

Description

A security vulnerability has been detected in sagold json-schema-library 11.5.0/11.5.1. This impacts the function parsePropertyDependencies of the file src/keywords/propertyDependencies.ts. The manipulation leads to improperly controlled modification of object prototype attributes. The attack can be initiated remotely. Upgrading to version 11.6.0 will fix this issue. The identifier of the patch is 432287ee6f68a02ce6f015354618486ec427a32d. It is advisable to upgrade the affected component.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
sagold json-schema-library 11.5.0
sagold json-schema-library 11.5.1
sagold json-schema-library 11.6.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a prototype pollution issue in the json-schema-library versions 11.5.0 and 11.5.1. It occurs in the parsePropertyDependencies function of src/keywords/propertyDependencies.ts. Attackers can remotely manipulate the prototype chain by using __proto__ as a property dependency key, leading to unintended behavior or security issues.

Detection Guidance

To detect this vulnerability, check if your system uses sagold json-schema-library versions 11.5.0 or 11.5.1. Inspect package.json or dependency files for the library version. If the experimental propertyDependenciesKeyword is enabled, test for prototype pollution by compiling a schema with propertyDependencies.__proto__ entries and verifying Object.prototype modifications.

Impact Analysis

The impact includes unexpected behavior, logic bypass, denial of service, or unsafe interactions due to polluted prototype properties. Applications compiling schemas from untrusted input and enabling the experimental propertyDependenciesKeyword are at risk.

Compliance Impact

This vulnerability involves prototype pollution, which could allow attackers to modify Object.prototype. This may lead to unexpected behavior in applications using the library, potentially affecting data integrity and security. While not directly violating GDPR or HIPAA, such vulnerabilities could contribute to compliance risks by enabling unauthorized data access or manipulation if exploited in systems handling sensitive data.

Mitigation Strategies

Upgrade sagold json-schema-library to version 11.6.0 or later. If upgrading is not possible, disable the experimental propertyDependenciesKeyword or implement input validation to reject prototype pollution primitives like __proto__, prototype, and constructor in property dependencies.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16008. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart