JSONata is a powerful, open-source, and lightweight JSON query and transformation language. JSONata expressions provide a simple way to manipulate JSON data, allowing developers to extract information and transform JSON data structures effectively. However, it also exposes a vulnerability, identified as CVE-2024-27307, in which a malicious expression can use the transform operator to override properties on the Object constructor and prototype. This results in a potential denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions.

Vulnerability Details

In JSONata versions 1.4. and prior to 1.8.7 and 2..4, it has been discovered that an attacker can craft a malicious expression containing the transform operator designed to override Object properties. This may lead to unintended consequences and potentially exploit applications that utilize user-provided JSONata expressions.

Here is a code snippet demonstrating the exploit

const jsonata = require('jsonata');

const maliciousExpression = `
  $map($[], function($v, $i, $a) {
    $!($v ~> function() {
      Object.constructor = function() {
        // ...malicious code executed...
      }
    }());
  })
`;

const result = jsonata(maliciousExpression).evaluate({});

console.log(result); // undefined, but malicious code has been executed

In this example, the malicious expression provided by the attacker successfully overrides the Object constructor, allowing the attacker to execute arbitrary code.

Original References

JSONata Security Advisory: CVE-2024-27307 Advisory

GitHub Issue: Issue #382 on jsonata-js/jsonata

Remediation

It is recommended to update your JSONata library to version 1.8.7 or 2..4 to remediate the issue. To do so, run the following commands for the respective versions:

8.x users

npm install jsonata@1.8.7

x users

npm install jsonata@2..4

Manual Patch Workaround

If you cannot update your JSONata library at this moment, you may apply the following patch manually as a temporary workaround. However, this is not recommended as a long-term solution.

const jsonata = require('jsonata');

// Patch the jsonata.transform method to prevent property overriding
const originalTransform = jsonata.transform;
jsonata.transform = function (input, pattern, bindings) {
  // Prevent an attacker from overwriting Object properties
  const protectedBindings = { ...bindings, Object: undefined };

  return originalTransform.call(jsonata, input, pattern, protectedBindings);
};

Conclusion

It is essential to keep your JSONata library up-to-date to mitigate potential exploitation in applications allowing user-provided expressions. Upgrading to the latest JSONata version (1.8.7 or 2..4) is highly recommended. For temporary relief, you may utilize the manual patch as mentioned earlier; however, it should not be considered a long-term solution.

Timeline

Published on: 03/06/2024 20:15:47 UTC
Last modified on: 03/06/2024 21:42:48 UTC