CVE-2025-1302

Published Feb 15, 2025

Last updated 8 days ago

Overview

Description: Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).
Source: report@snyk.io
NVD status: Received

Risk scores

CVSS 4.0

Type: Secondary
Base score: 8.9
Impact score: -
Exploitability score: -
Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity: HIGH

CVSS 3.1

Type: Secondary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

report@snyk.io: CWE-94

Hype score: Not currently trending

[CVE-2025-1302: CRITICAL] Package jsonpath-plus < 10.3.0 has a Remote Code Execution vulnerability allowing attackers to run code by misusing eval='safe'. Update to version 10.3.0 to fix this CVE-2024-21534.#cybersecurity,#vulnerability https://t.co/wby3Yrprvv https://t.co/uYL
@CveFindCom
15 Feb 2025
44 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes

References