Description: We observed that function writeFileSync() in the file index.js does not have any validation over the input to options parameter may lead to a possibility of Denial of Service or Code Execution if the options parameter is attacker controllable.
Mitigation: Validate the options.fs parameter with whitelist, such that it only accepts the attributes defined by the package ( Ex: spaces, EOL, flag ).
jsonfile is not designed for arbitrary input to the options parameter; anyone allowing a 3rd party to pass the options should implement their own whitelisting/validation.
Description: We observed that function
writeFileSync()
in the file index.js does not have any validation over the input tooptions
parameter may lead to a possibility of Denial of Service or Code Execution if the options parameter is attacker controllable.Version: 6.0.1
POC Snippet:
Mitigation: Validate the
options.fs
parameter with whitelist, such that it only accepts the attributes defined by the package ( Ex: spaces, EOL, flag ).