PatchSiren cyber security CVE debrief
CVE-2026-8657 Gist CVE debrief
CVE-2026-8657 is a high-severity prototype pollution issue in jsondiffpatch versions before 0.7.6. The vulnerable patch-related APIs can be driven by attacker-controlled delta or JSON Patch input, allowing special property paths such as __proto__ or constructor.prototype to reach and modify Object.prototype.
- Vendor
- Gist
- Product
- Unknown
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-16
- Original CVE updated
- 2026-05-16
- Advisory published
- 2026-05-16
- Advisory updated
- 2026-05-16
Who should care
Teams that use jsondiffpatch in JavaScript or Node.js applications, especially where patch() or jsonpatch.patch() may process untrusted or partially trusted input. Security and platform teams should also care because prototype pollution can have application-wide effects beyond the immediate call site.
Technical summary
The issue is described as prototype pollution in jsondiffpatch before 0.7.6 via jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch(). According to the supplied record, attacker-controlled property names and path segments are used to traverse and modify objects without restricting access to special properties like __proto__ or constructor.prototype, which can result in modification of Object.prototype. The NVD record classifies the weakness as CWE-1321 and rates the issue HIGH (CVSS 7.8).
Defensive priority
High. The flaw is network-reachable in the general case, requires no privileges or user interaction, and can alter fundamental object behavior across an application. Upgrade and input hardening should be treated as urgent for any deployment that accepts external patch-like documents.
Recommended defensive actions
- Upgrade jsondiffpatch to version 0.7.6 or later.
- Inventory all uses of patch() and jsonpatch.patch() and determine whether any untrusted input can reach them.
- Reject or strictly validate patch documents and delta objects before applying them, with explicit blocking for special properties such as __proto__ and constructor.prototype.
- Add regression tests that verify prototype-pollution payloads are refused and that Object.prototype remains unchanged after patch application.
- Pin and review dependency versions in build and release pipelines so vulnerable jsondiffpatch releases are not reintroduced.
Evidence notes
The supplied NVD record states that jsondiffpatch versions before 0.7.6 are vulnerable to prototype pollution through jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch(). The record also names CWE-1321 and includes references to a Snyk advisory, a related gist report, source locations in nested.ts and jsonpatch-apply.ts, and a commit associated with the fix. The source references support the affected code paths and remediation trail, but the corpus does not include a full patch diff narrative beyond those links.
Official resources
Publicly disclosed on 2026-05-16, matching the CVE and source record timestamps supplied in the corpus.