CVE-2024-27307 Overview
CVE-2024-27307 is a prototype pollution vulnerability in JSONata, a JSON query and transformation language. Starting in version 1.4.0 and prior to versions 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the Object constructor and prototype. This vulnerability may lead to denial of service, remote code execution, or other unexpected behavior in applications that evaluate user-provided JSONata expressions.
Critical Impact
Applications that allow user-provided JSONata expressions are at risk of remote code execution, denial of service, and prototype pollution attacks that could compromise the entire JavaScript runtime environment.
Affected Products
- JSONata versions 1.4.0 through 1.8.6
- JSONata versions 2.0.0 through 2.0.3
- Any application that evaluates user-provided JSONata expressions using vulnerable versions
Discovery Timeline
- March 6, 2024 - CVE-2024-27307 published to NVD
- December 4, 2025 - Last updated in NVD database
Technical Details for CVE-2024-27307
Vulnerability Analysis
This vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), commonly known as Prototype Pollution. The flaw resides in JSONata's transform operator, which can be abused to modify the prototype chain of JavaScript's base Object constructor.
When an application evaluates user-controlled JSONata expressions, an attacker can craft malicious input that pollutes the Object.prototype. This pollution affects all JavaScript objects in the application's runtime, potentially leading to:
- Denial of Service: By corrupting fundamental object properties, the application's normal operation can be disrupted
- Remote Code Execution: In certain contexts, prototype pollution can be chained with other application logic to achieve arbitrary code execution
- Security Bypass: Polluted prototypes can modify authentication or authorization checks that rely on object property lookups
Root Cause
The root cause lies in insufficient input validation within the transform operator implementation. The operator fails to properly restrict modifications to sensitive object properties such as __proto__, constructor, and prototype. When processing user-provided expressions, the transform operator allows direct manipulation of these dangerous properties, enabling attackers to inject malicious values into the prototype chain.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction, making it highly exploitable. An attacker can exploit this vulnerability by submitting a crafted JSONata expression to any endpoint or application feature that evaluates user-provided expressions.
The transform operator in JSONata allows modification of JSON objects during query execution. By targeting the __proto__ or constructor.prototype properties within a transform expression, attackers can inject arbitrary properties into the base Object prototype that will be inherited by all objects in the JavaScript runtime.
Detection Methods for CVE-2024-27307
Indicators of Compromise
- Unusual JSONata expressions containing references to __proto__, constructor, or prototype keywords
- Application errors or unexpected behavior following evaluation of user-provided expressions
- Evidence of object property pollution in application logs or monitoring systems
- Unexplained denial of service conditions in Node.js applications using JSONata
Detection Strategies
- Implement input validation to detect and block JSONata expressions containing prototype-related keywords
- Monitor application logs for evaluation errors or stack traces related to JSONata processing
- Deploy static analysis tools to identify instances where user input is passed directly to JSONata evaluation functions
- Use runtime application self-protection (RASP) solutions to detect prototype pollution attempts
Monitoring Recommendations
- Enable verbose logging for JSONata expression evaluation in production environments
- Configure alerts for expressions containing suspicious patterns like __proto__ or constructor
- Monitor for unusual application behavior such as unexpected property values on standard objects
- Implement audit logging for all user-provided JSONata expressions before evaluation
How to Mitigate CVE-2024-27307
Immediate Actions Required
- Update JSONata to version 1.8.7 or 2.0.4 immediately
- Audit all application code to identify locations where user-provided JSONata expressions are evaluated
- Implement input validation to reject expressions containing dangerous keywords until patching is complete
- Consider disabling user-provided expression evaluation temporarily if immediate patching is not possible
Patch Information
The JSONata maintainers have released patched versions that address this prototype pollution vulnerability. Applications should upgrade to:
- Version 1.8.7 for the 1.x branch
- Version 2.0.4 for the 2.x branch
Multiple commits have been published to address this vulnerability:
For additional details, refer to the GitHub Security Advisory GHSA-fqg8-vfv7-8fj8.
Workarounds
- Apply the security patches manually from the referenced commits if immediate version upgrade is not feasible
- Implement a sanitization layer that rejects JSONata expressions containing __proto__, constructor, or prototype strings
- Use Object.freeze() on Object.prototype as a defense-in-depth measure, though this may cause compatibility issues
- Isolate JSONata evaluation in a separate sandboxed context or worker process to limit the impact of prototype pollution
# Update JSONata to patched version
npm update jsonata@1.8.7 # For 1.x branch
npm update jsonata@2.0.4 # For 2.x branch
# Verify installed version
npm list jsonata
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
