Login Sign Up

CVE-2024-27307

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

This vulnerability in JSONata allows malicious expressions to override properties on the Object constructor and prototype, potentially leading to denial of service, remote code execution, or other unexpected behavior. It affects applications that evaluate user-provided JSONata expressions. The issue impacts JSONata versions 1.4.0 through 1.8.6 and 2.0.0 through 2.0.3.

💻 Affected Systems

Products:
  • JSONata
Versions: 1.4.0 to 1.8.6, 2.0.0 to 2.0.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications that evaluate user-provided JSONata expressions. Applications using JSONata with trusted expressions only are not vulnerable.

📦 What is this software?

Jsonata by Jsonata

View all CVEs affecting Jsonata →

Jsonata by Jsonata

View all CVEs affecting Jsonata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or persistent backdoor installation.

🟠

Likely Case

Denial of service through application crashes or remote code execution in vulnerable applications.

🟢

If Mitigated

No impact if proper input validation, sandboxing, or updated versions are used.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the ability to submit malicious JSONata expressions to a vulnerable application. No public proof-of-concept has been released as of the advisory date.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.7 or 2.0.4

Vendor Advisory: https://github.com/jsonata-js/jsonata/security/advisories/GHSA-fqg8-vfv7-8fj8

Restart Required: No

Instructions:

1. Update JSONata package to version 1.8.7 or 2.0.4 using npm: npm update jsonata. 2. Verify the update with: npm list jsonata. 3. Test application functionality after update.

🔧 Temporary Workarounds

Manual patch application

all

Apply the security patches from GitHub commits to your local JSONata installation

git clone https://github.com/jsonata-js/jsonata.git
cd jsonata
git checkout 1d579dbe99c19fbe509f5ba2c6db7959b0d456d1
npm install

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user-provided JSONata expressions
  • Sandbox JSONata evaluation in isolated environments or containers with limited permissions

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list jsonata | grep jsonata

Check Version:

npm list jsonata | grep jsonata

Verify Fix Applied:

Verify installed version is 1.8.7 or higher for 1.x, or 2.0.4 or higher for 2.x

📡 Detection & Monitoring

Log Indicators:

  • Unusual JSONata expression patterns
  • Application crashes or errors during JSONata evaluation
  • Suspicious transform operator usage in expressions

Network Indicators:

  • Unusually large or complex JSONata expressions in API requests
  • Patterns matching known exploit attempts in expression payloads

SIEM Query:

source="application_logs" AND ("JSONata" OR "transform operator") AND (error OR crash OR exception)

📊 Metadata

CVE ID: CVE-2024-27307
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
Published: March 6, 2024
Last Updated: December 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-27307, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)