CVE-2024-27307 in jsonatainfo

Summary

by MITRE • 03/06/2024

JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the `Object` constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions. This issue has been fixed in JSONata versions 1.8.7 and 2.0.4. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. As a workaround, one may apply the patch manually.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 12/05/2025

CVE-2024-27307 represents a critical vulnerability in JSONata, a powerful query and transformation language for JSON data, where malicious expressions can exploit the transform operator to manipulate core JavaScript object properties. This vulnerability exists in versions 1.4.0 through 1.8.6 and 2.0.0 through 2.0.3, creating a significant attack surface for adversaries who can craft expressions that override properties on the Object constructor and its prototype chain. The technical flaw stems from insufficient validation of transform operations that allow attackers to directly modify fundamental JavaScript object behavior through user-provided expressions, which violates the principle of least privilege and object isolation.

The operational impact of this vulnerability extends beyond simple denial of service to encompass potential remote code execution and arbitrary code execution capabilities within applications that process untrusted JSONata expressions. When applications evaluate user input through JSONata's transform operator without proper sanitization, attackers can leverage this vulnerability to modify core object properties, potentially leading to prototype pollution attacks that can compromise entire application execution contexts. This vulnerability aligns with CWE-471, which addresses the modification of data structures during processing, and can be categorized under ATT&CK technique T1059.007 for scripting languages, specifically targeting JavaScript environments where JSONata is deployed.

Applications utilizing JSONata for processing user-provided data are particularly at risk, as the vulnerability can be exploited through any mechanism that allows expression evaluation without proper input validation. The fix implemented in versions 1.8.7 and 2.0.4 addresses the root cause by strengthening the validation of transform operations and preventing unauthorized modifications to core object properties. Organizations should prioritize immediate patching of affected systems, as the vulnerability can be exploited remotely without authentication requirements. The workaround of manual patching is insufficient for production environments and does not address the underlying architectural flaw in the transform operator implementation.

Security teams should implement comprehensive monitoring for any suspicious expression evaluation patterns that might indicate exploitation attempts, particularly focusing on transform operations that attempt to modify constructor properties or prototype chains. The vulnerability demonstrates the importance of input validation and sandboxing mechanisms when processing untrusted code, as JSONata's powerful transformation capabilities can be weaponized when proper security boundaries are not maintained. This issue highlights the critical need for secure coding practices in expression languages and serves as a reminder of the potential risks associated with allowing arbitrary code execution within application environments.

Responsible

GitHub, Inc.

Reservation

02/22/2024

Disclosure

03/06/2024

Moderation

accepted

CPE

ready

EPSS

0.01422

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!