CVE-2025-1302
CVE-2025-1302
Vexday Risk Score
68High priority
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 9.3EPSS 10.7%KEV nãoPoC públicaNuclei simMetasploit —Patch —
Lifecycle
15 Feb 2025Published on NVD
25 Feb 2025Public PoC
Recommendation: Plan a near-term fix — a public PoC already exists.
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.
**Note:**
This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Affected products
n/a · jsonpath-pluspublic PoCs found — 2
githubgithub.com/EQSTLab/CVE-2025-1302★ 21githubgithub.com/abrewer251/CVE-2025-1302_jsonpath-plus_RCE★ 1⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456https://github.com/JSONPath-Plus/JSONPath/blob/8e4acf8aff5f446aa66323e12394ac5615c3b260/src/Safe-Script.js%23L127https://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24eehttps://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585