CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-1302: Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker...

9.3 CVSS

Description

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.

**Note:**

This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).

Classification

CVE ID: CVE-2025-1302

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Affected Products

Vendor: n/a

Product: jsonpath-plus

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.46% (scored less or equal to compared to others)

EPSS Date: 2025-03-16 (when was this score calculated)

References

https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585
https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456
https://github.com/JSONPath-Plus/JSONPath/blob/8e4acf8aff5f446aa66323e12394ac5615c3b260/src/Safe-Script.js%23L127
https://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24ee

Timeline

2025-02-16 00:31:02 UTC
CVE

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker...