Skip to content

[Security] Bump jsonpath-plus from 10.0.0 to 10.1.0

Dependabot requested to merge dependabot-npm_and_yarn-jsonpath-plus-10.1.0 into master

Bumps jsonpath-plus from 10.0.0 to 10.1.0. This update includes a security fix.

Vulnerabilities fixed

JSONPath Plus Remote Code Execution (RCE) Vulnerability Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.

Note:

There was an attempt to fix it in version 10.0.0 but it could still be exploited using different payloads.

Patched versions: 10.0.7 Affected versions: < 10.0.7

Changelog

Sourced from jsonpath-plus's changelog.

10.1.0

  • feat: add typeof operator to safe script

10.0.7

  • fix(security): prevent constructor access
  • docs: add security policy file

10.0.6

  • fix(security): prevent call/apply invocation of Function

10.0.5

  • fix: remove overly aggressive disabling of native functions but disallow __proto__

10.0.4

  • fix(security): further prevent binding of Function calls which may evade detection

10.0.3

  • fix(security): prevent binding of Function calls which may evade detection

10.0.2

  • fix(security): prevent Function calls outside of member expressions

10.0.1

  • fix(security): prohibit Function in "safe" vm
Commits


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Loading