Code Injection in JSONata - #VU138341
Published: July 17, 2026
JSONata
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper control over dynamically managed code resources in expression evaluation logic when processing crafted JSONata expressions. A remote attacker can supply a specially crafted expression to execute arbitrary code.
The issue can be triggered by chaining multiple expression-manipulation behaviors, including overwriting $clone, destructuring functions or lambdas, and abusing proc.arguments.forEach in applyProcedure.