AIKIDO-2024-10499
jsonata is vulnerable to Exposure of Sensitive Information
21
Low Risk
This Affects:
jsonataTL;DR
Certain internal, undocumented APIs in JSONata, useful for debugging and imposing time or depth constraints on queries, should only be accessible programmatically and not within a query itself. Allowing access from within queries can enable attackers to bypass these constraints, potentially leading to targeted attacks. By changing the binding keys to Symbol, these internal APIs become inaccessible inside queries, as the Symbol API cannot be referenced there. This prevents queries from manipulating or removing important diagnostics or constraints. The solution leverages Symbol.for to maintain a separation between public and internal functionality, enhancing security with minimal changes.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
jsonata is vulnerable to Exposure of Sensitive Information in versions 1.8.0 - 2.0.5.
How to fix this
Upgrade the jsonata library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant