Vulnerability report written by the TA team by analyzing "Critical RCE Vulnerability in jsonpath-plus (CVE-2024-21534)"

CVE-2024-21534 is a remote code execution (RCE) vulnerability in the jsonpath-plus package due to improper input sanitization. This vulnerability can cause serious security threats to the system by allowing a malicious user to execute arbitrary code through input. Systems with vulnerabilities require immediate resolution, as they can provide an attacker with the opportunity to remotely control the system.

The most important countermeasure to resolve this vulnerability is to update to the latest version of the package. Updating can prevent risks caused by vulnerabilities, including security patches. In addition, you can strengthen security by thoroughly validating and filtering input values. Since this vulnerability can compromise the system through code execution, it is important to apply the patch as soon as possible and take all possible security measures.

Our WAF is also continuously monitoring and will respond promptly to any vulnerabilities discovered in the future.

1. Overview

jsonpath-plus is a JS implementation of JSONPath that includes several additional operators.

Versions of the package jsonpath-plus before 10.0.7 are vulnerable to remote code execution (RCE) due to improper input sanitization. An attacker could exploit the insecure default use of vm in Node.js to execute arbitrary code on the system.

2. Attack Type

The vulnerability fails to properly sanitize user input, allowing an attacker to inject arbitrary code on the server and execute it.

An attacker can create a malicious JSONPath expression that contains arbitrary JavaScript code. When this expression is evaluated by jsonpath-plus, the injected code is executed on the server. The exploitation process works like this

1. Malicious input manipulation: Attackers create expressions that embed JavaScript code intended to perform unauthorized actions, such as reading JSONPath sensitive files or executing system commands.
2. Injection point: The malicious code is fed to an application endpoint where JSONPath is used to process user-supplied queries for JSON data.
3. Code execution: The application uses VM modules to evaluate expressions without proper sanitization. This results in the execution of the attacker's code on the server.

When you run this code (node index.js), it executes a command to display the contents of the file cat /etc/passwd. This shows how an attacker can execute arbitrary system commands.

// index.js
const { JSONPath } = require("jsonpath-plus");
const data = {};
const maliciousCode = 'require("child_process").exec("cat /etc/passwd")';
const maliciousPath = `$[(this.constructor.constructor("${maliciousCode}")())]`;

const result = JSONPath({
    json: data,
    path: maliciousPath
});

3. Response

CVE-2024-21534 is a Remote Code Execution (RCE) vulnerability in the jsonpath-plus package. The vulnerability is caused by improper input sanitization, which could allow an attacker to execute arbitrary code on the system. To address this vulnerability, you should consider the following countermeasures

• Apply an update: Updating to the latest version of the jsonpath-plus package is the most effective mitigation. The latest version fixes the vulnerability.
• Enforce input validation: Because the vulnerability is caused by improper input validation, you can apply additional security measures to thoroughly validate and filter user input.
• Ensure safe usage: Recognize that the default usage of jsonpath-plus is insecure, and use safe settings to limit code execution when possible.

For this vulnerability, our AIWAF product will be doing further analysis and responding as a pattern.

4. Conclusion

CVE-2024-21534 is a remote code execution (RCE) vulnerability in the jsonpath-plus package, caused by improper input sanitization. This vulnerability could allow a malicious user to execute arbitrary code via input, posing a serious security threat to the system. Systems with the vulnerability require immediate remediation because it could provide an attacker with the opportunity to remotely take control of the system.

The most important countermeasure to address this vulnerability is to update to the latest version of the affected package. Updates include security patches, which can prevent the risk posed by the vulnerability. Security can also be enhanced by thoroughly validating and filtering input. Because this vulnerability can compromise systems through code execution, it's important to patch as soon as possible and take every security measure possible.

Our WAF is also monitoring this vulnerability and will continue to respond quickly to any additional vulnerabilities that are discovered.

5. References

• https://access.redhat.com/security/cve/cve-2024-21534
• https://nvd.nist.gov/vuln/detail/cve-2024-21534
• https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884