JSONata is a powerful, open-source, and lightweight JSON query and transformation language. JSONata expressions provide a simple way to manipulate JSON data, allowing developers to extract information and transform JSON data structures effectively. However, it also exposes a vulnerability, identified as CVE-2024-27307, in which a malicious expression can use the transform operator to override properties on the Object constructor and prototype. This results in a potential denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions.
Vulnerability Details
In JSONata versions 1.4. and prior to 1.8.7 and 2..4, it has been discovered that an attacker can craft a malicious expression containing the transform operator designed to override Object properties. This may lead to unintended consequences and potentially exploit applications that utilize user-provided JSONata expressions.
Here is a code snippet demonstrating the exploit
const jsonata = require('jsonata');
const maliciousExpression = `
$map($[], function($v, $i, $a) {
$!($v ~> function() {
Object.constructor = function() {
// ...malicious code executed...
}
}());
})
`;
const result = jsonata(maliciousExpression).evaluate({});
console.log(result); // undefined, but malicious code has been executed
In this example, the malicious expression provided by the attacker successfully overrides the Object constructor, allowing the attacker to execute arbitrary code.
Original References
JSONata Security Advisory: CVE-2024-27307 Advisory
GitHub Issue: Issue #382 on jsonata-js/jsonata
Remediation
It is recommended to update your JSONata library to version 1.8.7 or 2..4 to remediate the issue. To do so, run the following commands for the respective versions:
8.x users
npm install jsonata@1.8.7
x users
npm install jsonata@2..4
Manual Patch Workaround
If you cannot update your JSONata library at this moment, you may apply the following patch manually as a temporary workaround. However, this is not recommended as a long-term solution.
const jsonata = require('jsonata');
// Patch the jsonata.transform method to prevent property overriding
const originalTransform = jsonata.transform;
jsonata.transform = function (input, pattern, bindings) {
// Prevent an attacker from overwriting Object properties
const protectedBindings = { ...bindings, Object: undefined };
return originalTransform.call(jsonata, input, pattern, protectedBindings);
};
Conclusion
It is essential to keep your JSONata library up-to-date to mitigate potential exploitation in applications allowing user-provided expressions. Upgrading to the latest JSONata version (1.8.7 or 2..4) is highly recommended. For temporary relief, you may utilize the manual patch as mentioned earlier; however, it should not be considered a long-term solution.
Timeline
Published on: 03/06/2024 20:15:47 UTC
Last modified on: 03/06/2024 21:42:48 UTC