Jsonata
Monthly
Prototype pollution in jsonata-js (all versions up to 2.2.0) allows remote unauthenticated attackers to inject arbitrary properties into JavaScript's Object.prototype via the createFrame function in src/jsonata.js. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) with exploitation status E:P confirms this is network-exploitable with zero prerequisites, and a public proof-of-concept has been published on GitHub demonstrating a hasOwnProperty guard bypass. No patch exists - the vendor failed to respond to coordinated disclosure - leaving all users of jsonata ≤ 2.2.0 indefinitely exposed.
Prototype pollution in jsonata-js (all versions up to 2.2.0) allows remote unauthenticated attackers to inject arbitrary properties into JavaScript's Object.prototype via the createFrame function in src/jsonata.js. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) with exploitation status E:P confirms this is network-exploitable with zero prerequisites, and a public proof-of-concept has been published on GitHub demonstrating a hasOwnProperty guard bypass. No patch exists - the vendor failed to respond to coordinated disclosure - leaving all users of jsonata ≤ 2.2.0 indefinitely exposed.