CVE-2025-61140
EPSS 0.09%JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js
發布日:2026/1/28修改日:2026/2/5
描述
The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.
受影響套件(1)
- npm/jsonpathfrom 0, < 1.2.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-61140
- PATCHhttps://github.com/dchester/jsonpath
- WEBhttps://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d
- WEBhttps://github.com/dchester/jsonpath/commit/9631412641b7095f86840a7a45b5b3afc68b0fcb
- WEBhttps://github.com/dchester/jsonpath/issues/181
- WEBhttps://github.com/dchester/jsonpath/issues/194
- WEBhttps://github.com/dchester/jsonpath/pull/195