JSONata expression can pollute the "Object" prototype
Impact In JSONata versions >= 1.4.0, < 1.8.7 and >= 2.0.0, < 2.0.4, a malicious expression can use the transform operator to override properties on the Object constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions. Patch This issue has been fixed in JSONata versions >= 1.8.7 and >= 2.0.4. Applications that evaluate user-provided expressions …