| Title | jsonata-js jsonata 2.2.0 Prototype Pollution |
|---|
| Description | JSONata's function binding frame system creates bindings using a plain object ({}) and assigns values with bindings[name] = value without prototype chain validation. The for...in loop in the user bindings handler and createFrameFromTuple traverses the prototype chain, allowing attackers to override built-in functions. A novel bypass exists: passing a hasOwnProperty property in user bindings shadows the inherited Object.prototype.hasOwnProperty, bypassing the lookup() security check. This affects 63 built-in functions including $sum, $count, $eval, etc. |
|---|
| Source | ⚠️ https://github.com/OriginSecurityX/jsonata-hasownproperty-bypass |
|---|
| User | Frederick (UID 98351) |
|---|
| Submission | 05/18/2026 11:57 (28 days ago) |
|---|
| Moderation | 06/14/2026 14:25 (27 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 370850 [jsonata-js jsonata up to 2.2.0 Function Binding Frame System src/jsonata.js createFrame prototype pollution] |
|---|
| Points | 20 |
|---|