- Description
- All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).
- Source
- report@snyk.io
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- Hype score
- Not currently trending
[CVE-2025-1302: CRITICAL] Package jsonpath-plus < 10.3.0 has a Remote Code Execution vulnerability allowing attackers to run code by misusing eval='safe'. Update to version 10.3.0 to fix this CVE-2024-21534.#cybersecurity,#vulnerability https://t.co/wby3Yrprvv https://t.co/uYL
@CveFindCom
15 Feb 2025
44 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-21534 - Command Injection in JSONPath Plus versions < 10.0.7 Root cause: Improper sanitization of user-supplied JSONPath expressions, allowing arbitrary code execution via Node.js's vm module. Reference: https://t.co/hMG5EckcFb https://t.co/w24vw6PiK9
@win3zz
14 Nov 2024
3231 Impressions
16 Retweets
77 Likes
33 Bookmarks
0 Replies
0 Quotes
🧟♂️ Villain of the Week 🧟♂️ CVE-2024-21534 affects all versions of the jsonpath-plus package prior to 10.0.0, which are vulnerable to Remote Code Execution. With a CVSS score of 9.8, this vulnerability is rated as Critical, posing a severe risk to your system's confidential
@vicariusltd
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes