How to fix CVE-2025-61140?

Within 24 hours: Identify all applications and dependencies using Jsonpath ≤1.1.1 through software inventory and dependency scanning tools; assess exposure by determining if vulnerable code paths process untrusted user input. Within 7 days: Implement network segmentation and WAF rules to restrict suspicious JSON payloads; disable Jsonpath features if not business-critical; escalate to development teams for remediation planning. Within 30 days: Upgrade Jsonpath to version >1.1.1 once available or migrate to alternative JSON parsing libraries; conduct security testing post-remediation; document all mitigations applied.

Is Jsonpath affected by CVE-2025-61140?

A critical prototype pollution vulnerability in Jsonpath library (versions ≤1.1.1) could allow attackers to manipulate application objects and bypass security controls, potentially leading to unauthorized data access or system compromise.

CVE-2025-61140

CRITICAL

2026-01-28 [email protected]

GHSA-6c59-mwgh-r2x6

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 28, 2026 - 16:16 nvd

CRITICAL 9.8

Description

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.

Analysis

jsonpath library 1.1.1 has a prototype pollution vulnerability in the value function that allows attackers to modify JavaScript object prototypes and potentially achieve RCE.

Technical Context

The value function in jsonpath 1.1.1 (lib/index.js) is vulnerable to CWE-1321 prototype pollution, allowing attackers to inject properties into JavaScript Object.prototype through crafted JSONPath expressions.

Affected Products

['jsonpath 1.1.1']

Remediation

Update jsonpath. Use Object.create(null) for untrusted data. Freeze Object.prototype in critical applications.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +49

POC: 0

Vendor Status

CVE-2025-61140 vulnerability details – vuln.today

Back

CVE-2025-61140

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-61140

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code