Platform
nodejs
Component
jsonpath-plus
Opgelost in
10.3.0
10.3.0
CVE-2025-1302 represents a critical Remote Code Execution (RCE) vulnerability affecting the jsonpath-plus Node.js package. This flaw stems from improper input sanitization, enabling attackers to execute arbitrary code on the system. The vulnerability impacts versions prior to 10.3.0 and is a continuation of an incomplete fix for CVE-2024-21534. A fix is available in version 10.3.0.
The impact of CVE-2025-1302 is severe, allowing an attacker to gain complete control over a system running vulnerable applications. Exploitation occurs through the unsafe default usage of the eval='safe' mode, which bypasses intended security measures. An attacker could inject malicious code into the jsonpath-plus processing pipeline, leading to arbitrary command execution. This could result in data breaches, system compromise, and potential lateral movement within a network. The vulnerability's ease of exploitation, coupled with the widespread use of Node.js in various applications, significantly expands its potential blast radius.
CVE-2025-1302 was published on 2025-02-15. It builds upon the incomplete fix for CVE-2024-21534, indicating a potential history of similar vulnerabilities. The vulnerability's CRITICAL CVSS score and the ease of exploitation suggest a high probability of exploitation. As of this writing, no public proof-of-concept (PoC) has been released, but the potential for rapid development and dissemination of such a PoC is high. It is not currently listed on the CISA KEV catalog.
Applications utilizing the jsonpath-plus Node.js package, particularly those handling untrusted user input, are at significant risk. This includes web applications, APIs, and backend services that rely on JSON path expressions for data manipulation. Developers using older versions of Node.js or those with limited security expertise are particularly vulnerable.
• nodejs / server:
npm list jsonpath-plusThis command will list installed versions of jsonpath-plus. Check if the version is less than 10.3.0.
• nodejs / server:
find / -name "node_modules/jsonpath-plus" -printLocate the jsonpath-plus directory within your Node.js project's node_modules folder to identify vulnerable installations.
• nodejs / server:
journalctl -u node -f | grep -i "jsonpath-plus"Monitor Node.js application logs for any errors or unusual activity related to jsonpath-plus.
• generic web:
Review Node.js application code for any instances where user-supplied data is directly passed to jsonpath-plus without proper sanitization.
disclosure
patch
Exploit Status
EPSS
88.86% (100% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-1302 is to immediately upgrade the jsonpath-plus package to version 10.3.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation and sanitization on any data passed to jsonpath-plus. While a direct WAF rule is unlikely to be effective, carefully reviewing and restricting the data sources used by jsonpath-plus can reduce the attack surface. There are no specific Sigma or YARA patterns available at this time, but monitoring for unusual process executions originating from Node.js applications is recommended.
Werk de jsonpath-plus afhankelijkheid bij naar versie 10.3.0 of hoger. Dit zal de Remote Code Execution kwetsbaarheid als gevolg van onjuiste invoer sanitatie oplossen. Voer `npm install jsonpath-plus@latest` of `yarn add jsonpath-plus@latest` uit om bij te werken.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-1302 is a critical Remote Code Execution vulnerability in the jsonpath-plus Node.js package, allowing attackers to execute arbitrary code due to improper input sanitization. Versions before 10.3.0 are affected.
You are affected if you are using a version of jsonpath-plus prior to 10.3.0 in your Node.js applications. Check your project dependencies immediately.
Upgrade the jsonpath-plus package to version 10.3.0 or later using npm or yarn. If upgrading is not possible, implement strict input validation and sanitization.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high likelihood of future exploitation. Monitor your systems closely.
Refer to the jsonpath-plus project's GitHub repository and npm package page for updates and advisories related to CVE-2025-1302.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.