Impact
The vulnerability resides in jsonata-js jsonata version 2.2.0 and earlier in the createFrame function of src/jsonata.js. It enables an attacker to manipulate object prototype attributes arbitrarily, which can lead to prototype pollution. This weakness allows a remote actor to inject malicious data that is later executed or used by the execution or denial of service. The flaw is a type of improper handling of prototype attributes and is classified under CWE-1321, CWE-915, and CWE-94.
Affected Systems
The affected product is jsonata-js:jsonata. All installations using version 2.2.0 or earlier are vulnerable; no specific minor release was listed as patched. The vendor has not issued a fix at this time.
Risk and Exploitability
The CVSS score is 6.9, representing moderate severity. An EPSS score of 0.00314 indicates a very low probability of exploitation, and the vulnerability is not listed in. Attackers can exploit the weakness remotely by sending crafted expressions that trigger createFrame. The public exploit is available, showing that this vulnerability can be actively used against exposed services.
OpenCVE Enrichment