Description
In JSONata versions >= 1.4.0, < 1.8.7 and >= 2.0.0, < 2.0.4, a malicious expression can use the transform operator to override properties on the Object constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions.
Recommendation
Update the jsonata package to the latest compatible version. Followings are version details:
Affected version(s): **>= 2.0.0, < 2.0.4 >= 1.4.0, < 1.8.7** Patched version(s): **2.0.4 1.8.7**
References
Related Issues
- vue-i18n has cross-site scripting vulnerability with prototype pollution - @intlify/vue-i18n-core - CVE-2024-52809
- vue-i18n has cross-site scripting vulnerability with prototype pollution - vue-i18n - CVE-2024-52809
- @thi.ng/paths Prototype Pollution vulnerability - CVE-2024-29650
- vue-i18n has cross-site scripting vulnerability with prototype pollution - CVE-2024-52809
You might also like:
- Tags:
- npm
- jsonata
Anything's wrong? Let us know Last updated on March 06, 2024


