jsonpath-plus Remote Code Execution Vulnerability
Vulnerability
A remote code execution vulnerability exists in the jsonpath-plus package, affecting versions prior to 10.3.0. This vulnerability arises from inadequate input sanitization, allowing attackers to execute arbitrary code by exploiting the default 'safe' mode of eval, which is applied in a way that can be manipulated. The issue is exacerbated by an incomplete fix for a previous vulnerability (CVE-2024-21534).
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the server where the affected jsonpath-plus version is used.
Reproduction
The vulnerability can be reproduced by sending a crafted JSONPath expression to an endpoint that evaluates JSONPath queries using jsonpath-plus version 10.2.0 or earlier. This can be done by posting a JSON object along with a malicious JSONPath expression that exploits the vulnerability, such as one that references the console and child_process modules to execute commands.
Remediation
Users are advised to upgrade jsonpath-plus to version 10.3.0 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.