Описание
jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions
Impact
Arbitrary Code Injection (Remote Code Execution & XSS):
A critical security vulnerability affects all versions of the jsonpath package. The library relies on the static-eval module to evaluate JSON Path expressions but fails to properly sanitize or sandbox the input.
This allows an attacker to inject arbitrary JavaScript code into the JSON Path expression. When the library evaluates this expression, the malicious code is executed.
- Node.js Environments: This leads to Remote Code Execution (RCE), allowing an attacker to compromise the server.
- Browser Environments: This leads to Cross-Site Scripting (XSS), allowing an attacker to hijack user sessions or exfiltrate data.
Affected Methods:
The vulnerability triggers when untrusted data is passed to any method that evaluates a path, including:
jsonpath.queryjsonpath.nodesjsonpath.pathsjsonpath.valuejsonpath.parentjsonpath.apply
Patches
No Patch Available:
Currently, all versions of jsonpath are vulnerable. There is no known patched version of this package that resolves the issue while retaining the current architecture.
Recommendation:
Developers are strongly advised to migrate to a secure alternative (such as jsonpath-plus or similar libraries that do not use eval/static-eval) or strictly validate all JSON Path inputs against a known allowlist.
Workarounds
- Strict Input Validation: Ensure that no user-supplied data is ever passed directly to
jsonpathfunctions. - Sanitization: If user input is unavoidable, implement a strict parser to reject any JSON Path expressions containing executable JavaScript syntax (e.g., parentheses
(), script expressionsscript:, or function calls).
Resources
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2026-1615
- https://github.com/dchester/jsonpath/pull/197
- https://github.com/dchester/jsonpath/commit/491e2e01de2ff13f7d95e87eb2be726edbf4225f
- https://github.com/dchester/jsonpath/commit/b61111f07ac1a8d0f3133b5fc51438ecb76a6c39
- https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js#L243
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15141219
- https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034
Пакеты
jsonpath
<= 1.2.1
1.3.0
Связанные уязвимости
Versions of the package jsonpath before 1.2.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.
Versions of the package jsonpath before 1.2.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.
Security update for golang-github-prometheus-prometheus