Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJycXYtdmpydy1ocmNy
Arbitrary Code Execution in json-ptr
There is a security vulnerability in json-ptr
versions prior to v2.1.0 in which an unscrupulous actor may execute arbitrary code. If your code sends un-sanitized user input to json-ptr's .get() method, your project is vulnerable to this injection-style vulnerability.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJycXYtdmpydy1ocmNy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-rrqv-vjrw-hrcr
References:
- https://github.com/418sec/json-ptr/pull/3
- https://github.com/flitbit/json-ptr/blob/456a1728b45c8663bb1ac20a249c5fb17495ec6b/README.md#security-vulnerability-prior-to-v210
- https://github.com/flitbit/json-ptr/blob/master/src/util.ts%23L174
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038396
- https://snyk.io/vuln/SNYK-JS-JSONPTR-1016939
- https://www.huntr.dev/bounties/2-npm-json-ptr/
- https://www.npmjs.com/advisories/1706
- https://www.npmjs.com/package/json-ptr
- https://github.com/advisories/GHSA-rrqv-vjrw-hrcr
Blast Radius: 0.0
Affected Packages
npm:json-ptr
Dependent packages: 96Dependent repositories: 12,014
Downloads: 2,177,946 last month
Affected Version Ranges: < 2.1.0
Fixed in: 2.1.0
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.3.1, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 2.0.0
All unaffected versions: 2.1.0, 2.1.1, 2.1.2, 2.2.0, 3.0.0, 3.0.1, 3.1.0, 3.1.1