GHSA-hw8r-x6gr-5gjp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hw8r-x6gr-5gjp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-hw8r-x6gr-5gjp/GHSA-hw8r-x6gr-5gjp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hw8r-x6gr-5gjp
- Aliases
- Related
- Published
- 2025-02-15T06:30:51Z
- Modified
- 2025-02-18T19:42:08.575394Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- JSONPath Plus allows Remote Code Execution
- Details
-
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.
Note:
This is caused by an incomplete fix for CVE-2024-21534.
- Database specific
{ "nvd_published_at": "2025-02-15T05:15:11Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-94" ], "github_reviewed_at": "2025-02-18T19:25:34Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-21534
- https://nvd.nist.gov/vuln/detail/CVE-2025-1302
- https://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24ee
- https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456
- https://github.com/JSONPath-Plus/JSONPath
- https://github.com/JSONPath-Plus/JSONPath/blob/8e4acf8aff5f446aa66323e12394ac5615c3b260/src/Safe-Script.js#L127
- https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585
Affected packages
npm / jsonpath-plus
Package
- Name
- jsonpath-plus
- View open source insights on deps.dev
- Purl
- pkg:npm/jsonpath-plus