Description
In JSONata versions >= 1.4.0, < 1.8.7 and >= 2.0.0, < 2.0.4, a malicious expression can use the transform operator to override properties on the Object constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions.
Recommendation
Update the jsonata package to the latest compatible version. Followings are version details:
Affected version(s): **>= 2.0.0, < 2.0.4 >= 1.4.0, < 1.8.7** Patched version(s): **2.0.4 1.8.7**
References
Related Issues
- Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) 4 - CVE-2019-10744
- Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) 2 - CVE-2019-10744
- Passbolt Browser Extension leaks password information - CVE-2024-33669
- Improper Certificate Validation in xmlhttprequest-ssl - CVE-2021-31597
- Tags:
- npm
- jsonata
Anything's wrong? Let us know Last updated on March 06, 2024