CVE-2025-1302
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-1302
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-1302.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-1302
- Aliases
- Related
- Published
- 2025-02-15T05:15:11.683Z
- Modified
- 2025-11-16T12:30:40.219251Z
- Severity
-
- 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- [none]
- Details
-
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.
Note:
This is caused by an incomplete fix for CVE-2024-21534.
- References
-
- https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456
- https://github.com/JSONPath-Plus/JSONPath/blob/8e4acf8aff5f446aa66323e12394ac5615c3b260/src/Safe-Script.js%23L127
- https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585
- https://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24ee
Affected packages
Git / github.com/jsonpath-plus/jsonpath
Affected ranges
- Type
- GIT
- Repo
- https://github.com/jsonpath-plus/jsonpath
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.12.0
v0.13.0
v0.13.1
v0.14.0
v0.15.0
v0.16.0
v0.17.0
v0.18.0
v0.18.1
v0.19.0
v0.20.0
v0.20.1
v0.20.2
v1.*
v1.0.0
v1.1.0
v10.*
v10.0.1
v10.0.2
v10.0.3
v10.0.4
v10.0.5
v10.0.6
v10.0.7
v10.1.0
v10.2.0
v2.*
v2.0.0
v3.*
v3.0.0
v4.*
v4.0.0
v5.*
v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.1.0
v6.*
v6.0.0
v6.0.1
v7.*
v7.1.0
v7.2.0
v9.*
v9.0.0