AIKIDO-2025-10096
jsonpath-plus is vulnerable to Remote Code Execution (RCE)
90
Critical Risk
This Affects:
jsonpath-plusTL;DR
Several patches were applied to jsonpath-plus to prevent untrusted JavaScript execution when evaluating a path with the default eval='safe' mode. While version 10.2.0 was initially considered secure, a newly crafted payload has been discovered that still allows arbitrary JavaScript execution in safe mode by bypassing a forbidden non-string property value implicitly converted via toString. This enables remote code execution (RCE) in server-side contexts where JSONPath() is called with a user-controlled path. In client-side contexts, this can lead to cross-site scripting (XSS) if user input is used to construct the path.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
jsonpath-plus is vulnerable to Remote Code Execution (RCE) in versions 10.2.0 - 10.2.0.
How to fix this
Upgrade the jsonpath-plus library to the patch version.
Links
GitHub Release
Related Issue
Other
github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0
security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant