CVE-2025-1302
CRITICAL9.8EPSS 89.9%JSONPath Plus allows Remote Code Execution
發布日:2025/2/15修改日:2026/2/4
描述
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for CVE-2024-21534.
受影響套件(1)
- npm/jsonpath-plusfrom 0, < 10.3.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-21534
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-1302
- PATCHhttps://github.com/JSONPath-Plus/JSONPath
- WEBhttps://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456
- WEBhttps://github.com/JSONPath-Plus/JSONPath/blob/8e4acf8aff5f446aa66323e12394ac5615c3b260/src/Safe-Script.js#L127
- WEBhttps://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24ee
- WEBhttps://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585