Invia #832446: jsonata-js jsonata 2.2.0 Prototype Pollutioninformazioni

Titolojsonata-js jsonata 2.2.0 Prototype Pollution
DescrizioneJSONata's function binding frame system creates bindings using a plain object ({}) and assigns values with bindings[name] = value without prototype chain validation. The for...in loop in the user bindings handler and createFrameFromTuple traverses the prototype chain, allowing attackers to override built-in functions. A novel bypass exists: passing a hasOwnProperty property in user bindings shadows the inherited Object.prototype.hasOwnProperty, bypassing the lookup() security check. This affects 63 built-in functions including $sum, $count, $eval, etc.
Fonte⚠️ https://github.com/OriginSecurityX/jsonata-hasownproperty-bypass
Utente
 Frederick (UID 98351)
Sottomissione18/05/2026 11:57 (28 giorni fa)
Moderazione14/06/2026 14:25 (27 days later)
StatoAccettato
Voce VulDB370850 [jsonata-js jsonata fino a 2.2.0 Function Binding Frame System src/jsonata.js createFrame]
Punti20

PrecedenteVisione D'ensembleIl prossimo

Do you know our Splunk app?

Download it now for free!