Home > Vulnerability Database > CVE-2025-1302

Mend.io Vulnerability Database

CVE-2025-1302

Good to know:

Date: February 15, 2025

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. Note: This is caused by an incomplete fix for "CVE-2024-21534" (https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).

Severity Score

9.8

Related Resources (8)

Url: https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456

Url: https://github.com/JSONPath-Plus/JSONPath

Url: https://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24ee

Url: https://github.com/JSONPath-Plus/JSONPath/blob/8e4acf8aff5f446aa66323e12394ac5615c3b260/src/Safe-Script.js%23L127

Url: https://github.com/JSONPath-Plus/JSONPath/blob/8e4acf8aff5f446aa66323e12394ac5615c3b260/src/Safe-Script.js#L127

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-21534

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-1302

Url: https://www.mend.io/vulnerability-database/CVE-2025-1302

Severity Score

9.8

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

Top Fix

Upgrade Version

Upgrade to version jsonpath-plus - 10.3.0

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-1302

Good to know:

Date: February 15, 2025

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?