GHSA-mpcw-3j5p-p99x: Butterfly's parseJSON, getJSON functions eval malicious input, leading to remote code execution (RCE)

October 24, 2024

Usage of the Butterfly.prototype.parseJSON or getJSON functions on an attacker-controlled crafted input string allows the attacker to execute arbitrary JavaScript code on the server.

Since Butterfly JavaScript code has access to Java classes, it can run arbitrary programs.

References

github.com/OpenRefine/simile-butterfly
github.com/OpenRefine/simile-butterfly/commit/2ad1fa4cd8afe3c920c8e6e04fe7a7df5cf8294e
github.com/OpenRefine/simile-butterfly/security/advisories/GHSA-mpcw-3j5p-p99x
github.com/advisories/GHSA-mpcw-3j5p-p99x

Detect and mitigate GHSA-mpcw-3j5p-p99x with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →