SNYK-JS-JSONPATH-13645034
## Overview [jsonpath](https://www.npmjs.org/package/jsonpath) is a Query JavaScript objects with JSONPath expressions. Robust / safe JSONPath engine for Node.js. Affected versions of this package are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the `static-eval` module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including `.query`, `.nodes`, `.paths`, `.value`, `.parent`, and `.apply`. ## Remediation Upgrade `jsonpath` to version 1.2.0 or higher. ## References - [GitHub Commit](https://github.com/dchester/jsonpath/commit/9631412641b7095f86840a7a45b5b3afc68b0fcb) - [Vulnerable Code](https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js#L243)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Exploit Intelligence
- report.json (github-poc)
- context-runner.ts (github-poc)
- security.js (github-poc)
- security.js (github-poc)
- security.js (github-poc)
- cve_management_service.py (github-poc)
Timeline
- Jun 20, 2025 CVE Updated
- Feb 5, 2026 CVE Published
References
- https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034 advisory
- https://learn.snyk.io/lesson/prototype-pollution/ technical
- https://www.npmjs.org/package/jsonpath technical
- https://github.com/dchester/jsonpath/commit/9631412641b7095f86840a7a45b5b3afc68b0fcb patch
- https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js#L243 technical