CVE-2026-1615
published 2026-02-09CVE-2026-1615: Versions of the package jsonpath before 1.3.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.05%
60.0th percentile
Versions of the package jsonpath before 1.3.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.
Detection & IOCsextracted from sources · hover to see the quote
- →All methods that evaluate JSON Paths against objects are affected entry points: .query, .nodes, .paths, .value, .parent, and .apply — monitor for malicious JSON Path expressions passed to these methods in Node.js applications using the jsonpath package before 1.3.0 ↗
- →The vulnerability is rooted in the use of the `static-eval` module for processing user-supplied JSON Path input; audit dependency trees for jsonpath < 1.3.0 using static-eval as a transitive dependency ↗
- →In browser contexts, exploitation results in XSS; in Node.js environments, exploitation results in RCE — alert on unexpected script execution or outbound connections from Node.js processes handling JSON Path evaluation ↗
- →In some contexts it may be possible to remotely exploit this flaw without any privileges — treat any externally reachable endpoint passing user input to jsonpath methods as a high-priority attack surface ↗
- ·Only jsonpath versions before 1.3.0 are vulnerable; version 1.3.0 and later are not affected — verify installed version in package-lock.json or yarn.lock ↗
- ·Within Red Hat products, jsonpath is used as a transitive dependency or does not directly handle user input, reducing exposure — direct user-input-handling deployments remain the highest risk ↗
- ·Red Hat has confirmed no mitigation is currently available meeting their criteria — patching to jsonpath >= 1.3.0 is the only remediation path ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.2CRITICAL
osv9.2CRITICAL
vendor_redhat9.2CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
dchester jsonpath code injection (SNYK-JS-JSONPATH-13645034 / Nessus ID 299512)
vuldb·2026-07-01·CVSS 9.8
CVE-2026-1615 [CRITICAL] dchester jsonpath code injection (SNYK-JS-JSONPATH-13645034 / Nessus ID 299512)
A vulnerability classified as critical was found in dchester jsonpath. Affected by this vulnerability is an unknown functionality. Such manipulation leads to code injection.
This vulnerability is referenced as CVE-2026-1615. It is possible to launch the attack remotely. No exploit is available.
GHSA
jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions
ghsa·2026-02-09·CVSS 9.2
CVE-2026-1615 [CRITICAL] CWE-94 jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions
jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions
### Impact
**Arbitrary Code Injection (Remote Code Execution & XSS):**
A critical security vulnerability affects **all versions** of the `jsonpath` package. The library relies on the `static-eval` module to evaluate JSON Path expressions but fails to properly sanitize or sandbox the input.
This allows an attacker to inject arbitrary JavaScript code into the JSON Path expression. When the library evaluates this expression, the malicious code is executed.
* **Node.js Environments:** This leads to **Remote Code Execution (RCE)**, allowing an attacker to compromise the server.
* **Browser Environments:** This leads to **Cross-Site Scripting (XSS)**, allowing an attacker to hijack user sessions or exfiltra
OSV
jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions
osv·2026-02-09·CVSS 9.2
CVE-2026-1615 [CRITICAL] jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions
jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions
### Impact
**Arbitrary Code Injection (Remote Code Execution & XSS):**
A critical security vulnerability affects **all versions** of the `jsonpath` package. The library relies on the `static-eval` module to evaluate JSON Path expressions but fails to properly sanitize or sandbox the input.
This allows an attacker to inject arbitrary JavaScript code into the JSON Path expression. When the library evaluates this expression, the malicious code is executed.
* **Node.js Environments:** This leads to **Remote Code Execution (RCE)**, allowing an attacker to compromise the server.
* **Browser Environments:** This leads to **Cross-Site Scripting (XSS)**, allowing an attacker to hijack user sessions or exfiltra
Red Hat
jsonpath: jsonpath: Arbitrary Code Execution via unsafe JSON Path expression evaluation
vendor_redhat·2026-02-09·CVSS 9.2
CVE-2026-1615 [CRITICAL] CWE-94 jsonpath: jsonpath: Arbitrary Code Execution via unsafe JSON Path expression evaluation
jsonpath: jsonpath: Arbitrary Code Execution via unsafe JSON Path expression evaluation
Versions of the package jsonpath before 1.3.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.
A flaw was found in the jsonpath component. Th
No detection rules found.
No public exploits indexed.
https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js%23L243https://github.com/dchester/jsonpath/commit/b61111f07ac1a8d0f3133b5fc51438ecb76a6c39https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15141219https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034https://access.redhat.com/errata/RHSA-2026:6308https://access.redhat.com/errata/RHSA-2026:6309https://access.redhat.com/errata/RHSA-2026:6802https://access.redhat.com/security/cve/CVE-2026-1615https://bugzilla.redhat.com/show_bug.cgi?id=2437875https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1615.json
2026-02-09
Published