What is the CVSS score of CVE-2025-1302?

CVE-2025-1302 has a contested CVSS base score of 8.9 from a third party (e.g. CISA-ADP), while the vendor rates it High. vuln.today uses the vendor rating as authoritative.

Which versions of Red Hat are affected by CVE-2025-1302?

CVE-2025-1302 presents significant security risk, a code injection vulnerability rated CVSS 8.9.. A patch is available.

Is there a public PoC exploit available for CVE-2025-1302?

Yes, a public proof-of-concept exploit is available for CVE-2025-1302. Prioritise patching immediately. EPSS: 88.9%.

How to fix or mitigate CVE-2025-1302?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.

Red Hat CVE-2025-1302

HIGH

Code Injection (CWE-94)

2025-02-15 report@snyk.io

RCE Code Injection Red Hat Suse

High

Disputed · 8.9 NVD

Severity by source

Sources disagree (Low–Critical)

NVD PRIMARY

8.9 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

SUSE

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Red Hat

9.8 LOW

qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 28, 2026 - 18:26 vuln.today

CVE Published

Feb 15, 2025 - 05:15 nvd

HIGH 8.9

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

562 npm packages depend on jsonpath-plus (42 direct, 521 indirect)

Ecosystem-wide dependent count for version 10.3.0.

DescriptionCVE.org

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. Note: This is caused by an incomplete fix for CVE-2024-21534.

AnalysisAI

The jsonpath-plus npm package before version 10.3.0 contains a remote code execution vulnerability due to improper input sanitization in the eval='safe' mode. Despite being labeled 'safe', the evaluation mode allows attackers to escape the sandbox and execute arbitrary JavaScript, affecting any application processing untrusted JSONPath expressions.

Technical ContextAI

jsonpath-plus provides JSONPath query capabilities for JavaScript applications. The eval='safe' mode was intended to provide sandboxed expression evaluation but fails to properly restrict the execution context. An attacker can craft a JSONPath expression that breaks out of the sandbox using constructor chain techniques (e.g., this.constructor.constructor('return process')()) to access Node.js globals and execute arbitrary code. This is an incomplete fix for CVE-2024-21534.

Affected ProductsAI

jsonpath-plus < 10.3.0 Applications using jsonpath-plus with user-controlled queries

RemediationAI

Update jsonpath-plus to version 10.3.0 or later. Never pass untrusted input as JSONPath expressions. If JSONPath queries must be user-controlled, implement server-side validation that rejects expressions containing constructor, __proto__, or prototype references.

Vendor StatusVendor

SUSE

Severity: Critical

CVE-2025-1302 vulnerability details – vuln.today

Back

Red Hat CVE-2025-1302

Severity by source

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code