CVE-2025-61140
EPSS 0.09%JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js
Published: 1/28/2026Modified: 2/5/2026
Description
The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.
Affected packages (1)
- npm/jsonpathfrom 0, < 1.2.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-61140
- PATCHhttps://github.com/dchester/jsonpath
- WEBhttps://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d
- WEBhttps://github.com/dchester/jsonpath/commit/9631412641b7095f86840a7a45b5b3afc68b0fcb
- WEBhttps://github.com/dchester/jsonpath/issues/181
- WEBhttps://github.com/dchester/jsonpath/issues/194
- WEBhttps://github.com/dchester/jsonpath/pull/195