Description
In JSONata versions >= 1.4.0, < 1.8.7 and >= 2.0.0, < 2.0.4, a malicious expression can use the transform operator to override properties on the Object constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions.
Recommendation
Update the jsonata package to the latest compatible version. Followings are version details:
Affected version(s): **>= 2.0.0, < 2.0.4 >= 1.4.0, < 1.8.7** Patched version(s): **2.0.4 1.8.7**
References
Related Issues
- ag-grid packages vulnerable to Prototype Pollution - CVE-2024-39001
- Prototype pollution in Plist before 3.0.5 can cause denial of service - CVE-2022-22912
- Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem - CVE-2024-23331
- es5-ext vulnerable to Regular Expression Denial of Service in `function#copy` and `function#toStringTokens` - CVE-2024-27088
- Tags:
- npm
- jsonata
Anything's wrong? Let us know Last updated on March 06, 2024