This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: JSONata (v1.4.0 - 2.0.4) has a critical flaw. Malicious expressions can overwrite object constructors & prototypes.β¦
π¦ **Affected**: `jsonata-js` / `jsonata` library. π **Versions**: 1.4.0 up to (but not including) 2.0.4. β οΈ **Scope**: Any app using these versions for JSON querying/transformation.
Q4What can hackers do? (Privileges/Data)
π **Privileges**: Full Remote Code Execution (RCE). π **Data**: Complete system compromise. π« **DoS**: Can crash the application. π **Network**: Exploitable over the network (AV:N).
Q5Is exploitation threshold high? (Auth/Config)
π **Threshold**: LOW. π« **Auth**: None required (PR:N). ποΈ **UI**: No user interaction needed (UI:N). π― **Complexity**: Low (AC:L). Easy to exploit remotely.
π **Check**: Scan for `jsonata` dependency version. π **Tool**: Use SAST/DAST tools detecting prototype pollution. π **Code**: Look for untrusted JSONata expressions passed to `jsonata()` function.
Q8Is it fixed officially? (Patch/Mitigation)
β **Fixed**: Yes. π¦ **Patch**: Upgrade to **v2.0.4** or later. π **Source**: GitHub Release v2.0.4 & Security Advisory GHSA-fqg8-vfv7-8fj8.
Q9What if no patch? (Workaround)
π **Workaround**: If unpatchable, **disable** JSONata processing for untrusted input. π« **Sanitize**: Strictly validate/whitelist all expression inputs. 𧱠**Isolate**: Run in sandboxed environment if possible.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: CRITICAL. π¨ **Priority**: P1. π **Action**: Patch immediately. CVSS 9.8 + Remote + No Auth = Immediate threat. π’ **Alert**: Notify dev teams NOW.