additional data is valid according to the json schema. vulnerability

[jasoncopseynielseniq]

non schema defined data validates against the schema - suggest schema is tightened to reject anything that is not defined.

[jasoncopseynielseniq]

consider restricting additional data to reduce attack surface.
json schema structure doesn't seem to handle this quite right. may be possible to achieve with manually specified restrictions.
reference http://json-schema.org/draft-06/json-schema-release-notes.html
specifically "q-what-happened-to-all-the-discussions-around-re-using-schemas-with-additionalproperties"