AIKIDO-2026-928289
mtdowling/jmespath.php is vulnerable to Code Injection
98
Critical Risk
This Affects:
mtdowling/jmespath.phpTL;DR
mtdowling/jmespath.php emits parsed JMESPath function names into generated PHP source without safely escaping them as string literals when JmesPath\CompilerRuntime is used (or when JP_PHP_COMPILE is enabled). A crafted expression using a non-identifier function callee can break out of the generated string literal and write attacker-controlled PHP into the compiled-expression cache file, which the compiler runtime then loads and executes. This allows arbitrary PHP code execution with the privileges of the PHP process when an attacker can influence the expression string. The fix escapes function names with var_export() and rejects non-identifier function callees in the parser.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
mtdowling/jmespath.php is vulnerable to Code Injection in versions 0.1.0 - 2.9.0.
How to fix this
Upgrade the mtdowling/jmespath.php library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant