CVE-2026-12208
Description
Prototype pollution in jsonata ≤2.2.0 allows remote attackers to override built-in functions via crafted bindings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in jsonata ≤2.2.0 allows remote attackers to override built-in functions via crafted bindings.
Vulnerability
The createFrame function in src/jsonata.js of jsonata up to version 2.2.0 creates variable bindings using a plain object (var bindings = {}). The bind() method assigns values directly without a hasOwnProperty check, and the lookup() method relies on bindings.hasOwnProperty(name) as a security check. This allows an attacker to override the inherited hasOwnProperty by injecting a property with that name through user-supplied bindings, leading to prototype pollution. [1]
Exploitation
An attacker can remotely trigger this by providing crafted bindings that include a hasOwnProperty property that always returns true. When the for...in loop iterates over user bindings, the bind() method writes the attacker's hasOwnProperty into the frame's bindings object, shadowing the original. Subsequently, the lookup() method calls the attacker's version, bypassing the security check. The attacker can then inject properties with names matching any of the 63 built-in functions (e.g., $sum, $count) to override them. [1]
Impact
Successful exploitation allows an attacker to override built-in functions, potentially leading to arbitrary code execution or data manipulation depending on how the expression is used. The attacker gains the ability to alter the behavior of JSONata expressions processed by the application. [1]
Mitigation
The vendor was contacted but did not respond. As of the publication date, no official fix has been released. Users should avoid processing untrusted JSONata expressions or bindings. Consider using a sandboxed environment or upgrading to a patched version if one becomes available. [1]
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=2.2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `lookup()` function uses `bindings.hasOwnProperty(name)` as a security gate, which can be trivially bypassed when user-supplied bindings override the inherited `hasOwnProperty` method."
Attack vector
An attacker supplies a user-controlled bindings object containing a property named `hasOwnProperty` mapped to a function that always returns `true`. When `lookup()` calls `bindings.hasOwnProperty(name)`, the attacker's function executes, defeating the security gate. The attacker can simultaneously inject a property with the same name as any built‑in function (e.g., `sum`), which the bypassed lookup will return in place of the genuine built‑in. [ref_id=1]
Affected code
The vulnerability resides in `src/jsonata.js` within the `createFrame()`, `bind()`, and `lookup()` functions. `createFrame()` constructs variable bindings as a plain `{}` object. `bind()` writes attacker-controlled properties directly via `bindings[name] = value` without a safety check, and `lookup()` relies on `bindings.hasOwnProperty(name)` — a check that can be subverted. The `for...in` loop at lines 2146–2147 also picks up any user-supplied `hasOwnProperty` key. [ref_id=1]
What the fix does
The patch is not included in the bundle, and the vendor did not respond to the disclosure. To fix the vulnerability, the `createFrame()` function must not rely on `hasOwnProperty` as a security check; instead it should use `Object.hasOwn(bindings, name)` or store the bindings in a `Map` or an object created with `Object.create(null)` so that inherited properties like `hasOwnProperty` cannot be shadowed by user input. [ref_id=1]
Preconditions
- inputThe attacker must be able to pass a user-controlled bindings object to `expr.evaluate()`.
- authNo authentication is required; the attack can be triggered remotely via a crafted API request.
Reproduction
Install jsonata v2.2.0 (`npm install jsonata@2.2.0`). Run the provided PoC: ```js const jsonata = require("jsonata"); const evilBindings = {}; evilBindings.hasOwnProperty = function() { return true; }; evilBindings.sum = function() { return "HACKED_SUM"; }; const expr = jsonata("$sum([1,2,3])"); const result = await expr.evaluate({}, evilBindings); // Result: "HACKED_SUM" — built-in $sum function replaced ```
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.