Platform
nodejs
Component
jsonpath-plus
Fixed in
10.3.0
10.3.0
CVE-2025-1302 represents a critical Remote Code Execution (RCE) vulnerability affecting the jsonpath-plus Node.js package. This flaw stems from improper input sanitization, enabling attackers to execute arbitrary code on the system. The vulnerability impacts versions prior to 10.3.0 and is a continuation of an incomplete fix for CVE-2024-21534. A fix is available in version 10.3.0.
The impact of CVE-2025-1302 is severe, allowing an attacker to gain complete control over a system running vulnerable applications. Exploitation occurs through the unsafe default usage of the eval='safe' mode, which bypasses intended security measures. An attacker could inject malicious code into the jsonpath-plus processing pipeline, leading to arbitrary command execution. This could result in data breaches, system compromise, and potential lateral movement within a network. The vulnerability's ease of exploitation, coupled with the widespread use of Node.js in various applications, significantly expands its potential blast radius.
CVE-2025-1302 was published on 2025-02-15. It builds upon the incomplete fix for CVE-2024-21534, indicating a potential history of similar vulnerabilities. The vulnerability's CRITICAL CVSS score and the ease of exploitation suggest a high probability of exploitation. As of this writing, no public proof-of-concept (PoC) has been released, but the potential for rapid development and dissemination of such a PoC is high. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
88.86% (100% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-1302 is to immediately upgrade the jsonpath-plus package to version 10.3.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation and sanitization on any data passed to jsonpath-plus. While a direct WAF rule is unlikely to be effective, carefully reviewing and restricting the data sources used by jsonpath-plus can reduce the attack surface. There are no specific Sigma or YARA patterns available at this time, but monitoring for unusual process executions originating from Node.js applications is recommended.
Update the jsonpath-plus dependency to version 10.3.0 or higher. This will resolve the remote code execution vulnerability caused by improper input sanitization. Run `npm install jsonpath-plus@latest` or `yarn add jsonpath-plus@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-1302 is a critical Remote Code Execution vulnerability in the jsonpath-plus Node.js package, allowing attackers to execute arbitrary code due to improper input sanitization. Versions before 10.3.0 are affected.
You are affected if you are using a version of jsonpath-plus prior to 10.3.0 in your Node.js applications. Check your project dependencies immediately.
Upgrade the jsonpath-plus package to version 10.3.0 or later using npm or yarn. If upgrading is not possible, implement strict input validation and sanitization.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high likelihood of future exploitation. Monitor your systems closely.
Refer to the jsonpath-plus project's GitHub repository and npm package page for updates and advisories related to CVE-2025-1302.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.