CVE-2026-12208
Received Received - Intake
Prototype Pollution in jsonata-js jsonata

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: VulDB

Description
A weakness has been identified in jsonata-js jsonata up to 2.2.0. The affected element is the function createFrame of the file src/jsonata.js of the component Function Binding Frame System. This manipulation causes improperly controlled modification of object prototype attributes. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-12208
EUVD
EUVD-2026-36682
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jsonata jsonata to 2.2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12208 is a prototype pollution vulnerability in the jsonata library versions up to 2.2.0. It occurs in the createFrame() function, which constructs a frame for variable bindings using a plain object without proper validation.

The vulnerability arises because the bind() method assigns values directly to the bindings object, and the lookup() method uses bindings.hasOwnProperty(name) as a security check. An attacker can inject a property named hasOwnProperty into user-supplied bindings, overriding the inherited Object.prototype.hasOwnProperty.

This override causes the lookup() method to call the attacker-controlled function instead of the built-in one, bypassing the security check. Consequently, all 63 built-in functions stored in the frame's prototype chain, such as $sum, $count, and $string, can be replaced by injecting properties with matching names.

The proof of concept shows that by overriding hasOwnProperty to always return true and replacing the $sum function with a malicious one, the evaluation of $sum([1,2,3]) returns "HACKED_SUM" instead of the correct sum, confirming the vulnerability.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code or manipulate the behavior of the jsonata library by replacing built-in functions with malicious ones.

Such manipulation can lead to unexpected or harmful outcomes in applications using the affected jsonata versions, potentially compromising application integrity and security.

Detection Guidance

This vulnerability can be detected by testing whether the jsonata library in use is version 2.2.0 or earlier and by verifying if the createFrame function is susceptible to prototype pollution via the hasOwnProperty property injection.

A practical detection method involves running a proof of concept that attempts to override the hasOwnProperty function in the bindings object and then checking if built-in functions like $sum are replaced or behave unexpectedly.

For example, you can execute a test script that evaluates the expression `$sum([1,2,3])` after injecting a malicious hasOwnProperty property. If the output is altered (e.g., returns "HACKED_SUM" instead of 6), the system is vulnerable.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of jsonata library versions up to 2.2.0 until a patched version is released.

If upgrading is not immediately possible, restrict or sanitize user input to prevent injection of properties named hasOwnProperty or other prototype properties.

Additionally, monitor for suspicious behavior or unexpected results from functions like $sum, $count, or $string that could indicate exploitation attempts.

Compliance Impact

The vulnerability in jsonata-js allows an attacker to perform prototype pollution, leading to arbitrary code execution or manipulation of the library's behavior. This can compromise the integrity and security of applications using the affected library.

Such a security weakness could potentially lead to unauthorized data manipulation or exposure, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding data integrity and preventing unauthorized access.

However, the provided information does not explicitly describe direct effects on compliance with these standards or specific regulatory impacts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12208. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart