CVE-2026-1615
📋 TL;DR
The jsonpath package is vulnerable to arbitrary code execution via malicious JSON Path expressions. Attackers can inject JavaScript code that gets executed during JSON Path evaluation, leading to remote code execution in Node.js or XSS in browsers. All applications using jsonpath to process untrusted JSON Path expressions are affected.
💻 Affected Systems
- jsonpath npm package
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution on Node.js servers, allowing complete system compromise, data theft, and lateral movement within the network.
Likely Case
Server-side JavaScript execution leading to data exfiltration, privilege escalation, or denial of service in Node.js applications.
If Mitigated
Limited impact if only trusted JSON Path expressions are processed or if input validation blocks malicious patterns.
🎯 Exploit Status
Exploitation requires user input to reach vulnerable JSON Path evaluation functions. The vulnerability is well-documented with public proof-of-concept examples.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None
Vendor Advisory: https://github.com/dchester/jsonpath/security/advisories
Restart Required: No
Instructions:
1. Remove jsonpath dependency from package.json
2. Run npm uninstall jsonpath
3. Replace with alternative JSON Path libraries like jsonpath-plus or implement custom validation
4. Update all code imports from jsonpath to new library
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict validation of JSON Path expressions before passing to jsonpath functions
Use Alternative Library
allReplace jsonpath with jsonpath-plus which doesn't use static-eval
npm uninstall jsonpath
npm install jsonpath-plus
🧯 If You Can't Patch
- Implement strict input validation to only allow known-safe JSON Path patterns
- Isolate jsonpath usage in sandboxed environments or containers with minimal privileges
🔍 How to Verify
Check if Vulnerable:
Check package.json for jsonpath dependency: grep -r 'jsonpath' package.jsonCheck Version:
npm list jsonpathVerify Fix Applied:
Verify jsonpath is removed from package.json and node_modules, and alternative library is installed📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript execution errors
- Suspicious JSON Path patterns in input logs
- Unexpected process spawns from Node.js applications
Network Indicators:
- Outbound connections from Node.js processes to unexpected destinations
- Large data exfiltration from application servers
SIEM Query:
source="application.logs" AND ("jsonpath" OR "static-eval") AND ("eval" OR "Function" OR "constructor")🔗 References
- https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js%23L243
- https://github.com/dchester/jsonpath/commit/9631412641b7095f86840a7a45b5b3afc68b0fcb
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15141219
- https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034
