CVE-2025-1302 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute ar…
High CVSS: 8.9

CVE-2025-1302

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.

**Note:**

This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).
Vendor
-
Product
-
CWE
CWE-94
Yayın Tarihi
2025-02-15 05:15:11
Güncelleme
2025-02-15 05:15:11
Source Identifier
report@snyk.io
KEV Date Added
-

Kategoriler

CWE-94 HIGH 2025

Referanslar

https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456 https://github.com/JSONPath-Plus/JSONPath/blob/8e4acf8aff5f446aa66323e12394ac5615c3b260/src/Safe-Script.js%23L127 https://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24ee https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585