#VU88224 Prototype pollution in JSONata - CVE-2024-27307
Published: April 9, 2024
Vulnerability identifier: #VU88224
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2024-27307
CWE-ID: CWE-1321
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
JSONata
JSONata
Software vendor:
andrew-coleman
andrew-coleman
Description
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to malicious expression can use the transform operator to override properties on the `Object` constructor and prototype.. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions.
Remediation
Install updates from vendor's website.
External links
- https://github.com/jsonata-js/jsonata/security/advisories/GHSA-fqg8-vfv7-8fj8
- https://github.com/jsonata-js/jsonata/commit/1d579dbe99c19fbe509f5ba2c6db7959b0d456d1
- https://github.com/jsonata-js/jsonata/commit/335d38f6278e96c908b24183f1c9c90afc8ae00c
- https://github.com/jsonata-js/jsonata/commit/c907b5e517bb718015fcbd993d742ba6202f2be2
- https://github.com/jsonata-js/jsonata/releases/tag/v2.0.4