CVE-2025-1302
Remote Code Execution vulnerability in jsonpath-plus
What is CVE-2025-1302 About?
This vulnerability is a Remote Code Execution (RCE) flaw in the jsonpath-plus package caused by improper input sanitization. Successful exploitation allows an attacker to execute arbitrary code on the system, which can lead to full system compromise. This RCE is relatively easy to exploit due to the existence of a proof of concept.
Affected Software
Technical Details
The vulnerability stems from the jsonpath-plus package's improper handling of input sanitization, specifically when using the unsafe default 'eval='safe'' mode. An attacker can craft malicious input that, when processed by the vulnerable component, bypasses expected sanitization routines. This allows the attacker to inject and execute arbitrary code on the underlying system, leveraging the 'eval' functionality to achieve RCE. This issue is a regression or incomplete fix for an earlier vulnerability, CVE-2024-21534, indicating a persistent flaw in input validation logic.
What is the Impact of CVE-2025-1302?
Successful exploitation may allow attackers to gain full control over the compromised system, execute arbitrary commands, steal sensitive data, and disrupt service availability.
What is the Exploitability of CVE-2025-1302?
Exploitation of this RCE vulnerability is considered straightforward, as a proof of concept (POC) exists. Attackers would need to send specially crafted input to the vulnerable jsonpath-plus component. There are no explicit authentication or privilege requirements mentioned, suggesting it might be exploitable remotely without prior authentication, depending on how the component is exposed. The primary prerequisite is for the application to be using a vulnerable version of the jsonpath-plus package and for the input to be processed in the vulnerable 'eval='safe'' mode. The existence of a POC significantly increases the likelihood and ease of exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| EQSTLab | Link | JSONPath-plus Remote Code Execution |
| abrewer251 | Link | PoC exploit and vulnerable server demo for CVE-2025-1302 in jsonpath-plus. |
What are the Available Fixes for CVE-2025-1302?
Available Upgrade Options
- jsonpath-plus
- <10.3.0 → Upgrade to 10.3.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2024-21534
- https://osv.dev/vulnerability/GHSA-hw8r-x6gr-5gjp
- https://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24ee
- https://nvd.nist.gov/vuln/detail/CVE-2025-1302
- https://github.com/JSONPath-Plus/JSONPath
- https://github.com/JSONPath-Plus/JSONPath/blob/8e4acf8aff5f446aa66323e12394ac5615c3b260/src/Safe-Script.js#L127
- https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585
- https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456
What are Similar Vulnerabilities to CVE-2025-1302?
Similar Vulnerabilities: CVE-2024-21534 , CVE-2023-46604 , CVE-2023-38545 , CVE-2023-35805 , CVE-2023-28155
