Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-pppg-cpfq-h7wr

GitHub Security Advisory

JSONPath Plus Remote Code Execution (RCE) Vulnerability

✓ GitHub Reviewed CRITICAL Has CVE
View on GitHub

Advisory Details

Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.

**Note:**

There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226)

Affected Packages

npm jsonpath-plus
Affected versions: 0 (fixed in 10.2.0)
Maven org.webjars.npm:jsonpath-plus
Affected versions: 0 (last affected: 6.0.1)

Related CVEs

CVE-2024-21534

Key Information

GHSA ID
GHSA-pppg-cpfq-h7wr
Published
October 11, 2024 3:30 PM
Last Modified
February 6, 2025 7:11 PM
CVSS Score
9.0 /10
Primary Ecosystem
npm
Primary Package
jsonpath-plus
GitHub Reviewed
✓ Yes

Dataset

Last updated: June 15, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.