CVE-2025-1302 Overview
CVE-2025-1302 is a Remote Code Execution (RCE) vulnerability affecting versions of the jsonpath-plus npm package before 10.3.0. The vulnerability stems from improper input sanitization, allowing attackers to execute arbitrary code on affected systems by exploiting the unsafe default usage of eval='safe' mode. This vulnerability represents an incomplete fix for the previously disclosed CVE-2024-21534.
Critical Impact
Attackers can achieve remote code execution on systems running vulnerable versions of jsonpath-plus, potentially leading to complete system compromise, data exfiltration, and lateral movement within affected environments.
Affected Products
- jsonpath-plus npm package versions before 10.3.0
- Applications and services utilizing vulnerable jsonpath-plus versions
- Node.js environments with jsonpath-plus as a dependency
Discovery Timeline
- February 15, 2025 - CVE-2025-1302 published to NVD
- February 15, 2025 - Last updated in NVD database
Technical Details for CVE-2025-1302
Vulnerability Analysis
This vulnerability is classified as Code Injection (CWE-94) and enables remote code execution through the jsonpath-plus library's handling of JSONPath expressions. The issue originates from the Safe-Script.js component of the library, where input sanitization measures implemented to address CVE-2024-21534 were incomplete.
The jsonpath-plus library provides JSONPath querying functionality for JavaScript applications, commonly used to extract and manipulate data from JSON structures. When processing specially crafted JSONPath expressions, the library fails to properly sanitize input before evaluation, even when the eval='safe' mode is engaged—a setting that should theoretically prevent arbitrary code execution.
Root Cause
The root cause lies in the incomplete implementation of input sanitization within the Safe-Script.js module. The previous security fix for CVE-2024-21534 attempted to restrict dangerous operations within the safe evaluation mode, but edge cases remained that allow attackers to bypass these protections. The vulnerable code path exists in the script evaluation mechanism, where specially crafted input can escape the intended sandbox restrictions.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by supplying a malicious JSONPath expression to an application using the vulnerable jsonpath-plus library. This is particularly dangerous in scenarios where:
- User-supplied input is processed through JSONPath queries
- API endpoints accept JSONPath expressions as parameters
- Configuration files or external data sources contain JSONPath expressions that are evaluated
A proof-of-concept demonstrating this vulnerability is available through the GitHub Gist PoC. The vulnerable code path can be examined in the Safe-Script.js source file on GitHub.
Detection Methods for CVE-2025-1302
Indicators of Compromise
- Unexpected process spawning from Node.js applications utilizing jsonpath-plus
- Anomalous network connections originating from Node.js processes
- Unusual system commands being executed in the context of web application processes
- Log entries showing malformed or suspicious JSONPath expressions
Detection Strategies
- Implement application-level logging to capture JSONPath expressions before evaluation
- Deploy runtime application self-protection (RASP) solutions to detect code injection attempts
- Monitor package manifests (package.json, package-lock.json) for vulnerable jsonpath-plus versions
- Use software composition analysis (SCA) tools to identify vulnerable dependencies across your codebase
Monitoring Recommendations
- Enable verbose logging for applications processing JSON data with JSONPath queries
- Monitor for unusual characters or patterns in JSONPath expressions that may indicate exploitation attempts
- Set up alerts for any code execution anomalies in production Node.js environments
- Implement egress filtering to detect potential data exfiltration following successful exploitation
How to Mitigate CVE-2025-1302
Immediate Actions Required
- Update jsonpath-plus to version 10.3.0 or later immediately
- Audit all applications and services for jsonpath-plus dependencies
- Review application code to identify where user input may flow into JSONPath expressions
- Implement input validation at application boundaries before processing JSONPath queries
Patch Information
The jsonpath-plus maintainers have addressed this vulnerability in version 10.3.0. The security fix can be reviewed in the GitHub commit. Organizations should update their dependencies by running the appropriate package manager commands and verifying the updated version is in use.
Additional details about this vulnerability are available in the Snyk Vulnerability Report.
Workarounds
- If immediate patching is not possible, avoid processing untrusted input through JSONPath expressions
- Implement strict input validation and allowlisting for any JSONPath expressions accepted from external sources
- Consider temporarily disabling functionality that relies on dynamic JSONPath evaluation
- Isolate applications using vulnerable versions in restricted network segments to limit potential impact
# Update jsonpath-plus to patched version
npm update jsonpath-plus@^10.3.0
# Verify installed version
npm list jsonpath-plus
# Audit for vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
