Code Injection in flitbit/json-ptr


Reported on

Mar 28th 2021

✍️ Description

json-ptr is a complete implementation of JSON Pointer (RFC 6901) for nodejs and modern browsers.

JsonPointer.get that is designed to get the target object's value at the pointer's location is vulnerable to arbitrary code injection and exection, mainly due to the lack of sanitizing for user's inputs of the pointer's location.

🕵️‍♂️ Proof of Concept

// PoC.js
JsonPointer.get({}, '/aaa\'\]\)\) !== \'undefined\') \{return it;\}; console.log(\'HACKED\'); if((([\'a'); // HACKED

💥 Impact

This vulnerability is capable of executing arbitrary js codes.


Jamie Slome
2 years ago


Validation should be working now - apologies for any issues!

Phillip Clark
2 years ago

For reference; fixed in v2.1.0 and above.

to join this conversation