2268370 – (CVE-2024-27307) CVE-2024-27307 jsonata: malicious expression can pollute the "Object" prototype

Bug 2268370 (CVE-2024-27307) - CVE-2024-27307 jsonata: malicious expression can pollute the "Object" prototype

Summary: CVE-2024-27307 jsonata: malicious expression can pollute the "Object" prototype

Keywords:
Status:	NEW
Alias:	CVE-2024-27307
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2268371
TreeView+	depends on / blocked

Reported:	2024-03-07 06:31 UTC by TEJ RATHI
Modified:	2025-05-06 08:28 UTC (History)
CC List:	16 users (show)
Fixed In Version:	jsonata 1.8.7, jsonata 2.0.4
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2024-03-07 06:31:07 UTC

Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the `Object` constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions. This issue has been fixed in JSONata versions 1.8.7 and 2.0.4. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation.

https://github.com/jsonata-js/jsonata/commit/1d579dbe99c19fbe509f5ba2c6db7959b0d456d1
https://github.com/jsonata-js/jsonata/commit/335d38f6278e96c908b24183f1c9c90afc8ae00c
https://github.com/jsonata-js/jsonata/commit/c907b5e517bb718015fcbd993d742ba6202f2be2
https://github.com/jsonata-js/jsonata/releases/tag/v2.0.4
https://github.com/jsonata-js/jsonata/security/advisories/GHSA-fqg8-vfv7-8fj8

Note You need to log in before you can comment on or make changes to this bug.