Description
JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the `Object` constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions. This issue has been fixed in JSONata versions 1.8.7 and 2.0.4. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. As a workaround, one may apply the patch manually.
References (5)
Core 5
Core References
Technical Description, Vendor Advisory x_refsource_confirm
https://github.com/jsonata-js/jsonata/security/advisories/GHSA-fqg8-vfv7-8fj8
Patch x_refsource_misc
https://github.com/jsonata-js/jsonata/commit/1d579dbe99c19fbe509f5ba2c6db7959b0d456d1
Patch x_refsource_misc
https://github.com/jsonata-js/jsonata/commit/335d38f6278e96c908b24183f1c9c90afc8ae00c
Patch x_refsource_misc
https://github.com/jsonata-js/jsonata/commit/c907b5e517bb718015fcbd993d742ba6202f2be2
Product, Release Notes x_refsource_misc
https://github.com/jsonata-js/jsonata/releases/tag/v2.0.4
Scores
CVSS v3
9.8
EPSS
0.0142
EPSS Percentile
69.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-1321
Status
published
Products (2)
jsonata/jsonata
1.4.0 - 1.8.7
npm/jsonata
1.4.0 - 1.8.7npm
Published
Mar 06, 2024
Tracked Since
Feb 18, 2026