CVE-2025-1302
📋 TL;DR
CVE-2025-1302 is a critical Remote Code Execution vulnerability in jsonpath-plus versions before 10.3.0. Attackers can execute arbitrary code on affected systems by exploiting improper input sanitization in the 'safe' eval mode. This affects any application using vulnerable versions of the jsonpath-plus package.
💻 Affected Systems
- jsonpath-plus
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attacker to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Application compromise leading to data theft, service disruption, or lateral movement within the environment.
If Mitigated
Limited impact if proper network segmentation, least privilege, and input validation are implemented.
🎯 Exploit Status
Proof of concept available in GitHub gist. Exploitation requires the application to process attacker-controlled JSON input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.3.0
Vendor Advisory: https://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24ee
Restart Required: Yes
Instructions:
1. Update jsonpath-plus to version 10.3.0 or later using npm update jsonpath-plus. 2. Restart all Node.js applications using the package. 3. Test functionality after update.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation and sanitization for all JSON inputs before processing with jsonpath-plus.
Network Controls
allRestrict network access to applications using jsonpath-plus and implement WAF rules to block suspicious JSON payloads.
🧯 If You Can't Patch
- Isolate affected applications in network segments with strict egress filtering
- Implement application-level allowlisting for JSON input sources and monitor for anomalous patterns
🔍 How to Verify
Check if Vulnerable:
Check package.json or run npm list jsonpath-plus to see installed version. If version is below 10.3.0, system is vulnerable.Check Version:
npm list jsonpath-plus | grep jsonpath-plusVerify Fix Applied:
After update, verify npm list jsonpath-plus shows version 10.3.0 or higher and test application functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual process spawns from Node.js applications
- Errors in application logs related to JSON parsing failures
- Unexpected outbound network connections from application servers
Network Indicators:
- HTTP requests containing unusual JSON payloads with JavaScript-like syntax
- Traffic to known malicious domains from application servers
SIEM Query:
source="application.logs" AND ("jsonpath-plus" OR "JSONPath") AND ("eval" OR "script" OR "exec")🔗 References
- https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456
- https://github.com/JSONPath-Plus/JSONPath/blob/8e4acf8aff5f446aa66323e12394ac5615c3b260/src/Safe-Script.js%23L127
- https://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24ee
- https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585
