GHSA-87R5-MP6G-5W5J

Vulnerability from github – Published: 2026-02-09 06:30 – Updated: 2026-02-17 21:47
VLAI?
Summary
jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions
Details

Impact

Arbitrary Code Injection (Remote Code Execution & XSS):

A critical security vulnerability affects all versions of the jsonpath package. The library relies on the static-eval module to evaluate JSON Path expressions but fails to properly sanitize or sandbox the input.

This allows an attacker to inject arbitrary JavaScript code into the JSON Path expression. When the library evaluates this expression, the malicious code is executed.

  • Node.js Environments: This leads to Remote Code Execution (RCE), allowing an attacker to compromise the server.
  • Browser Environments: This leads to Cross-Site Scripting (XSS), allowing an attacker to hijack user sessions or exfiltrate data.

Affected Methods:

The vulnerability triggers when untrusted data is passed to any method that evaluates a path, including:

  • jsonpath.query
  • jsonpath.nodes
  • jsonpath.paths
  • jsonpath.value
  • jsonpath.parent
  • jsonpath.apply

Patches

No Patch Available:

Currently, all versions of jsonpath are vulnerable. There is no known patched version of this package that resolves the issue while retaining the current architecture.

Recommendation:

Developers are strongly advised to migrate to a secure alternative (such as jsonpath-plus or similar libraries that do not use eval/static-eval) or strictly validate all JSON Path inputs against a known allowlist.

Workarounds

  • Strict Input Validation: Ensure that no user-supplied data is ever passed directly to jsonpath functions.
  • Sanitization: If user input is unavoidable, implement a strict parser to reject any JSON Path expressions containing executable JavaScript syntax (e.g., parentheses (), script expressions script:, or function calls).

Resources

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.2 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jsonpath"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-1615"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-12T15:29:55Z",
    "nvd_published_at": "2026-02-09T05:16:24Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\n**Arbitrary Code Injection (Remote Code Execution \u0026 XSS):**\n\nA critical security vulnerability affects **all versions** of the `jsonpath` package. The library relies on the `static-eval` module to evaluate JSON Path expressions but fails to properly sanitize or sandbox the input.\n\nThis allows an attacker to inject arbitrary JavaScript code into the JSON Path expression. When the library evaluates this expression, the malicious code is executed.\n\n* **Node.js Environments:** This leads to **Remote Code Execution (RCE)**, allowing an attacker to compromise the server.\n* **Browser Environments:** This leads to **Cross-Site Scripting (XSS)**, allowing an attacker to hijack user sessions or exfiltrate data.\n\n**Affected Methods:**\n\nThe vulnerability triggers when untrusted data is passed to any method that evaluates a path, including:\n\n* `jsonpath.query`\n* `jsonpath.nodes`\n* `jsonpath.paths`\n* `jsonpath.value`\n* `jsonpath.parent`\n* `jsonpath.apply`\n\n### Patches\n\n**No Patch Available:**\n\nCurrently, **all versions** of `jsonpath` are vulnerable. There is no known patched version of this package that resolves the issue while retaining the current architecture.\n\n**Recommendation:**\n\nDevelopers are strongly advised to **migrate to a secure alternative** (such as `jsonpath-plus` or similar libraries that do not use `eval`/`static-eval`) or strictly validate all JSON Path inputs against a known allowlist.\n\n### Workarounds\n\n* **Strict Input Validation:** Ensure that no user-supplied data is ever passed directly to `jsonpath` functions.\n* **Sanitization:** If user input is unavoidable, implement a strict parser to reject any JSON Path expressions containing executable JavaScript syntax (e.g., parentheses `()`, script expressions `script:`, or function calls).\n\n### Resources\n\n* [CVE-2026-1615](https://nvd.nist.gov/vuln/detail/CVE-2026-1615)\n* [Vulnerable Code in handlers.js](https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js#L243)\n* [Snyk Advisory (Java/WebJars)](https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15141219)\n* [Snyk Advisory (JS)](https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034)",
  "id": "GHSA-87r5-mp6g-5w5j",
  "modified": "2026-02-17T21:47:32Z",
  "published": "2026-02-09T06:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1615"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dchester/jsonpath"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js#L243"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15141219"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.