AIKIDO-2025-10930
@jsonquerylang/jsonquery is vulnerable to Prototype Pollution
62
Medium Risk
This Affects:
@jsonquerylang/jsonqueryTL;DR
Affected versions of this package are vulnerable to Prototype Pollution via Unsafe Property Access due to the lack of proper validation when retrieving object properties, allowing an attacker to access unsafe inherited prototype properties such as constructor or __proto__. It occurs in code paths that directly access user-supplied property names on objects without using proper validation. By manipulating these property accesses, an attacker can potentially obtain references to fundamental object constructors, leading to prototype pollution, remote code execution, or a breach of the sandbox environment by chaining these constructors to execute arbitrary code.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@jsonquerylang/jsonquery is vulnerable to Prototype Pollution in versions 2.0.0 - 5.0.4.
How to fix this
Upgrade the @jsonquerylang/jsonquery library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant