Skip to main content

Jsonpath CVE-2025-61140

CRITICAL
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-01-28 cve@mitre.org GHSA-6c59-mwgh-r2x6
9.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 28, 2026 - 16:16 nvd
CRITICAL 9.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on jsonpath (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.2.0.

DescriptionCVE.org

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.

AnalysisAI

jsonpath library 1.1.1 has a prototype pollution vulnerability in the value function that allows attackers to modify JavaScript object prototypes and potentially achieve RCE.

Technical ContextAI

The value function in jsonpath 1.1.1 (lib/index.js) is vulnerable to CWE-1321 prototype pollution, allowing attackers to inject properties into JavaScript Object.prototype through crafted JSONPath expressions.

RemediationAI

Update jsonpath. Use Object.create(null) for untrusted data. Freeze Object.prototype in critical applications.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
Container suse/manager/4.3/proxy-httpd:4.3.17.9.76.1 Affected
Container suse/manager/5.0/x86_64/server:latest Affected
Image SLES15-SP7-SAP-Azure-LI-BYOS-Production Image SLES15-SP7-SAP-Azure-VLI-BYOS-Production Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed

Share

CVE-2025-61140 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy