Critical (9.8)

CVE-2026-1615

All versions of the package jsonpath are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JS...

CVSS Score 9.8

Overview

A critical security vulnerability has been discovered in the jsonpath package, a popular library used to query and extract data from JSON objects. This flaw allows an attacker to execute arbitrary code on systems using this library.

Vulnerability Explained

In simple terms, the jsonpath library uses an unsafe method to process user-provided search queries (called JSON Path expressions). Because it does not properly check or sanitize this input, an attacker can craft a malicious query that tricks the library into running harmful JavaScript code. This is similar to handing a stranger a set of instructions for your system and having them secretly replace a step with a command to open a backdoor.

Impact and Severity

This vulnerability is rated CRITICAL with a CVSS score of 9.8. Its impact is severe and depends on where the library is used:

  • In Node.js/Server Environments: An attacker can achieve full Remote Code Execution (RCE), potentially taking complete control of the affected server, accessing sensitive data, or disrupting services.
  • In Web Browsers: If the library is used in front-end code, the flaw can lead to Cross-site Scripting (XSS), allowing attackers to steal user sessions, deface websites, or redirect users to malicious sites.

Any application that uses jsonpath methods like .query(), .value(), or .apply() with untrusted user input is at risk.

Remediation and Mitigation

Immediate action is required to secure affected systems.

  1. Primary Fix: Update Immediately. The maintainers of the jsonpath package have released a patched version. Upgrade the package to version 1.1.2 or later. This is the most effective and recommended solution.

    npm update jsonpath

  2. Immediate Mitigation (If Update is Not Possible): If you cannot update immediately, you must ensure that no untrusted data is ever passed to any jsonpath function. Review your code to confirm that all JSON Path expressions are hard-coded or come from a trusted, internal source. Treat any user-provided data as inherently unsafe for this library.

  3. Assessment: Inventory your projects and dependencies to identify all instances where the jsonpath package is used. Use commands like npm list jsonpath or check your package.json files.

Summary

This is a severe vulnerability that can lead to complete system compromise. The exploitation is straightforward if user input reaches the vulnerable functions. Prioritize upgrading the jsonpath package to the latest secure version as the most critical defensive action.