Описание
All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.
Note:
There were several attempts to fix it in versions 10.0.0-10.1.0 but it could still be exploited using different payloads.
A flaw was found in jsonpath-plus. This vulnerability allows remote code execution via improper input sanitisation and unsafe default usage of the vm module in Node.js. Attackers can exploit this by executing arbitrary code through the unsafe use of the vm module in Node.js, which allows for malicious code injection. This issue occurs due to the way jsonpath-plus evaluates JSON paths using vm, a Node.js module that allows code execution. If user input is not properly sanitized, an attacker can craft JSON paths that execute dangerous commands, such as reading sensitive files.
Отчет
Red Hat's initial impact rating of critical has been downgraded to low. While the vulnerable code is technically still present within Red Hat products, there are no code paths in affected products which allow exploitation. As such, the impact to Red Hat products is low. Each of the products listed have multiple components where a fixed build could occur. This distinction does not matter for users as only one build needs fixed for the product. Additionally, in Red Hat OpenShift AI, jsonpath-plus is a dependency of a direct dependency and is never loaded, as the direct dependency's feature that requires jsonpath-plus is not used.
Меры по смягчению последствий
Red Hat Product Security recommends updating the vulnerable software to the latest version.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Developer Hub | rhdh/rhdh-rhel9-operator | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | odh-dashboard-container | Fix deferred | ||
| Red Hat OpenShift AI (RHOAI) | odh-operator-container | Not affected | ||
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-dashboard-rhel8 | Fix deferred | ||
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-operator-rhel8 | Not affected | ||
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-rhel8-operator | Not affected | ||
| Red Hat OpenShift Dev Spaces 3 Containers | devspaces/code-rhel8 | Fixed | RHSA-2024:10236 | 25.11.2024 |
| Red Hat OpenShift Dev Spaces 3 Containers | devspaces/dashboard-rhel8 | Fixed | RHSA-2024:10236 | 25.11.2024 |
| Red Hat Developer Hub 1.6 | registry.redhat.io/rhdh/rhdh-hub-rhel9 | Fixed | RHSA-2025:7626 | 14.05.2025 |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).
JSONPath Plus Remote Code Execution (RCE) Vulnerability
EPSS
9.8 Critical
CVSS3