GHSA-rrqv-vjrw-hrcr: 
JavaScript vulnerability analysis and mitigation

The security vulnerability (GHSA-rrqv-vjrw-hrcr) affects json-ptr versions prior to v2.1.0, where an unscrupulous actor could execute arbitrary code through the library's .get() method. The vulnerability was discovered and disclosed in March 2021, affecting the npm package json-ptr, which is a complete implementation of JSON Pointer (RFC 6901) for nodejs and modern browsers (GitHub Advisory).

The vulnerability stems from the .get() method's failure to properly delimit single quotes when compiling accessors for quickly accessing points in an object graph. This implementation flaw caused the get operation to throw an exception during normal usage and, more critically, allowed for arbitrary code execution when malicious user input was passed directly to the method. The issue was specifically related to the lack of sanitizing user inputs for the pointer's location (Flitbit README).

The vulnerability allows attackers to execute arbitrary code through the library's .get() method when unsanitized user input is passed to it. This could potentially lead to complete system compromise depending on the context in which the library is used (GitHub Advisory).

The primary mitigation is to upgrade to json-ptr version 2.1.0 or higher, which includes the security patch. For users unable to upgrade immediately, the recommended workaround is to ensure proper sanitization of all user input before passing it to any of the methods exposed by the json-ptr library (Flitbit README).