#VU107638 Code Injection in JSONPath - CVE-2025-1302
Published: April 22, 2025 / Updated: June 13, 2025
Vulnerability identifier: #VU107638
Vulnerability risk: Critical
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Red
CVE-ID: CVE-2025-1302
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
JSONPath
JSONPath
Software vendor:
JSONPath-Plus
JSONPath-Plus
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.
Remediation
Install updates from vendor's website.
External links
- https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456
- https://github.com/JSONPath-Plus/JSONPath/blob/8e4acf8aff5f446aa66323e12394ac5615c3b260/src/Safe-Script.js%23L127
- https://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24ee
- https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585