Description
In JSONata versions >= 1.4.0, < 1.8.7 and >= 2.0.0, < 2.0.4, a malicious expression can use the transform operator to override properties on the Object constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions.
Recommendation
Update the jsonata package to the latest compatible version. Followings are version details:
Affected version(s): **>= 2.0.0, < 2.0.4 >= 1.4.0, < 1.8.7** Patched version(s): **2.0.4 1.8.7**
References
Related Issues
- jquery-plugin-query-object contains prototype pollution vulnerability - CVE-2021-20083
- Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem - CVE-2024-23331
- Matrix IRC Bridge truncated content of messages can be leaked - CVE-2024-32000
- Handling untrusted input can result in a crash, leading to loss of availability / denial of service - CVE-2024-30253
- Tags:
- npm
- jsonata
Anything's wrong? Let us know Last updated on March 06, 2024