How to fix CVE-2025-1302?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.

Is Redhat affected by CVE-2025-1302?

CVE-2025-1302 presents significant security risk, a code injection vulnerability rated CVSS 8.9. Successful exploitation could allow attackers to execute arbitrary code or commands on affected systems, potentially leading to full system compromise.

CVE-2025-1302

HIGH

2025-02-15 [email protected]

8.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 28, 2026 - 18:26 vuln.today

CVE Published

Feb 15, 2025 - 05:15 nvd

HIGH 8.9

Description

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).

Analysis

The jsonpath-plus npm package before version 10.3.0 contains a remote code execution vulnerability due to improper input sanitization in the eval='safe' mode. Despite being labeled 'safe', the evaluation mode allows attackers to escape the sandbox and execute arbitrary JavaScript, affecting any application processing untrusted JSONPath expressions.

Technical Context

jsonpath-plus provides JSONPath query capabilities for JavaScript applications. The eval='safe' mode was intended to provide sandboxed expression evaluation but fails to properly restrict the execution context. An attacker can craft a JSONPath expression that breaks out of the sandbox using constructor chain techniques (e.g., this.constructor.constructor('return process')()) to access Node.js globals and execute arbitrary code. This is an incomplete fix for CVE-2024-21534.

Affected Products

['jsonpath-plus < 10.3.0', 'Applications using jsonpath-plus with user-controlled queries']

Remediation

Update jsonpath-plus to version 10.3.0 or later. Never pass untrusted input as JSONPath expressions. If JSONPath queries must be user-controlled, implement server-side validation that rejects expressions containing constructor, __proto__, or prototype references.

Priority Score

133

Low Medium High Critical

KEV: 0

EPSS: +88.9

CVSS: +44

POC: 0

Vendor Status

CVE-2025-1302 vulnerability details – vuln.today

Back

CVE-2025-1302

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-1302

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code