SB2025042218 - Code Injection in jsonpath-plus
Published: April 22, 2025 Updated: June 13, 2025
Security Bulletin ID
SB2025042218
Severity
Critical
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Code Injection (CVE-ID: CVE-2025-1302)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.
Remediation
Install update from vendor's website.
References
- https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456
- https://github.com/JSONPath-Plus/JSONPath/blob/8e4acf8aff5f446aa66323e12394ac5615c3b260/src/Safe-Script.js%23L127
- https://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24ee
- https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585