jsonpath-plus < 10.0.0 is vulnerable to Remote Code Execution

[Alxblsk]

Feature Request

According to https://nvd.nist.gov/vuln/detail/CVE-2024-21534, there's a vulnerability in jsonpath-plus package used in serverless-offline due to improper sanitization. According to Snyk, severity is "critical".

Would be great if package can be bumped to v10 so fix the issue.

Expected behavior/code

serverless-offline has the issue fixed to let consumers to upgrade.

[openam]

Is this also going to be fixed in any of the older versions, i.e. < v14? For those people that haven't upgraded to serverless v4 yet?

The faqs do state the following:

You do not have to buy a License for Serverless Framework V.3 and less. V.3 will continue to receive essential security and bug fixes throughout 2024.

[hugoduraes]

I've just faced this issue. It'd be great to have a fix on this issue. I'm currently on v13.8.1.

[mhmoudgmal]

Hi! @Alxblsk you might be able to fix this by overriding the jsonpath-plus.

  "devDependencies": {
    // ...
    "jsonpath-plus": "^10.0.0",
    // ...
  },
  "overrides": {
    "jsonpath-plus": "^10.0.0"
  }

Note: This approach will ensure the top-level package is overwritten, hence fixing your vulnerability alert (just because you might wonder that the lockfile still listing jsonpath-plus with the old version as a dep for serverless-offlie). So, serverless-offline still need to update

[DorianMazur]

I will wait for tests and release new versions