CVE-2025-61140 Overview
CVE-2025-61140 is a Prototype Pollution vulnerability discovered in the jsonpath library version 1.1.1, specifically affecting the value function within lib/index.js. Prototype Pollution is a dangerous class of vulnerability that allows attackers to inject properties into JavaScript object prototypes, potentially leading to remote code execution, denial of service, or security feature bypasses in applications that use the affected library.
Critical Impact
This Prototype Pollution vulnerability in the jsonpath library could allow attackers to manipulate JavaScript object prototypes, potentially enabling remote code execution, denial of service, or bypassing security controls in applications that process untrusted input through the affected value function.
Affected Products
- jsonpath version 1.1.1
- Applications using the vulnerable value function in lib/index.js
- Node.js applications dependent on jsonpath for JSON path queries
Discovery Timeline
- 2026-01-28 - CVE CVE-2025-61140 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2025-61140
Vulnerability Analysis
This vulnerability is classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes). Prototype Pollution occurs when an application allows user-controlled input to modify the prototype of base JavaScript objects. In the case of jsonpath 1.1.1, the value function in lib/index.js fails to properly sanitize input, allowing attackers to inject malicious properties into the Object.prototype.
When successfully exploited, the attacker can add or modify properties on the global Object.prototype, which then propagates to all JavaScript objects in the application. This can lead to severe consequences including property injection attacks, denial of service through pollution of critical properties, or even remote code execution when combined with certain application logic patterns.
Root Cause
The root cause of this vulnerability lies in the improper handling of user-controlled JSON path expressions within the value function. The function does not adequately validate or sanitize input that could contain property names like __proto__, constructor, or prototype. When the jsonpath library processes a maliciously crafted path expression, it can inadvertently write to the prototype chain instead of the intended object properties.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by sending specially crafted JSON path queries to an application that uses the vulnerable jsonpath library to process external input. The attack can be conducted remotely against any exposed endpoint that passes user-controlled data to the value function.
A typical attack scenario involves crafting a JSON path expression that includes prototype pollution payloads such as __proto__ segments. When the vulnerable value function processes this input, it writes the attacker-controlled value to the object prototype, affecting all objects in the application context.
For technical details and proof-of-concept information, refer to the GitHub Gist PoC Source which documents the exploitation mechanism.
Detection Methods for CVE-2025-61140
Indicators of Compromise
- Unexpected properties appearing on JavaScript objects that were not explicitly defined
- Application behavior changes such as authentication bypasses or unexpected code paths being executed
- Error messages or logs indicating prototype-related anomalies
- JSON path queries containing __proto__, constructor.prototype, or similar prototype-targeting patterns in application logs
Detection Strategies
- Implement input validation rules to detect and block JSON path expressions containing prototype pollution patterns (__proto__, constructor, prototype)
- Monitor application logs for suspicious JSON path queries that include property names commonly used in prototype pollution attacks
- Deploy Web Application Firewalls (WAF) with rules to detect prototype pollution payloads in request parameters
- Use runtime application self-protection (RASP) solutions to detect prototype modifications at runtime
Monitoring Recommendations
- Enable verbose logging for the jsonpath library and monitor for unusual query patterns
- Implement integrity monitoring for critical JavaScript object properties in production applications
- Set up alerts for authentication or authorization anomalies that could indicate successful prototype pollution exploitation
- Monitor npm dependency audit reports for applications using jsonpath
How to Mitigate CVE-2025-61140
Immediate Actions Required
- Audit all applications using jsonpath 1.1.1 to identify exposure to the vulnerable value function
- Implement input sanitization to reject JSON path expressions containing __proto__, constructor, or prototype keywords
- Consider replacing the jsonpath library with an alternative that is not vulnerable to prototype pollution
- Apply object freezing techniques using Object.freeze(Object.prototype) as a defense-in-depth measure where applicable
Patch Information
As of the last NVD update on 2026-01-29, users should check the GitHub JSONPath Repository for any security patches or updated versions that address this vulnerability. Organizations should monitor the repository for official fixes and apply them immediately when available.
Workarounds
- Sanitize all user input before passing it to the jsonpath value function, specifically blocking paths containing prototype-related keywords
- Use Object.create(null) for objects that will be processed by jsonpath to create prototype-less objects that are immune to prototype pollution
- Implement a wrapper function around jsonpath calls that validates path expressions against a whitelist of allowed patterns
- Consider using --frozen-intrinsics flag in Node.js environments to prevent prototype modifications
# Configuration example - Input validation for prototype pollution prevention
# Add to your application's input validation middleware
# Block requests containing prototype pollution patterns
# Example nginx configuration:
# location /api {
# if ($request_body ~* "__proto__|constructor\.prototype|Object\.prototype") {
# return 403;
# }
# }
# Node.js startup with frozen intrinsics (Node.js 12+):
node --frozen-intrinsics --experimental-options app.js
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
