Skip to main content

jsonpath CVE-2026-1615

HIGH
Code Injection (CWE-94)
2026-02-09 report@snyk.io GHSA-87r5-mp6g-5w5j
8.2
CVSS 4.0 · Vendor: snyk
Share

Severity by source

Vendor (snyk) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
9.8 HIGH
qualitative

Primary rating from Vendor (snyk).

CVSS VectorVendor: snyk

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Apr 29, 2026 - 01:39 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 29, 2026 - 01:11 vuln.today
cvss_changed
Severity Changed
Apr 29, 2026 - 01:11 NVD
CRITICAL HIGH
CVSS changed
Apr 29, 2026 - 01:11 NVD
9.2 (CRITICAL) 8.2 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Feb 09, 2026 - 05:16 nvd
CRITICAL 9.2

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 49,192 npm packages depend on jsonpath (1,299 direct, 47,928 indirect)

Ecosystem-wide dependent count for version 1.3.0.

DescriptionCVE.org

Versions of the package jsonpath before 1.2.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.

AnalysisAI

Remote code execution in the jsonpath npm package (versions <1.2.0) allows unauthenticated attackers to execute arbitrary JavaScript code by injecting malicious JSON Path expressions. The vulnerability stems from unsafe evaluation through the static-eval module, which processes user-supplied JSON Path input without proper sanitization. All query methods (.query, .nodes, .paths, .value, .parent, .apply) are affected. While EPSS scoring indicates relatively low widespread exploitation probability (0.09%, 26th percentile), multiple vendor patches from Red Hat and SUSE confirm the severity, and publicly available exploit code exists (CVSS E:P). This represents critical risk for Node.js applications processing untrusted JSON Path expressions, with potential for both server-side RCE and browser-based XSS depending on execution context.

Technical ContextAI

The jsonpath library is a Node.js implementation of JSONPath query syntax for traversing and extracting data from JSON structures. The vulnerability resides in the library's dependency on the static-eval module to evaluate user-supplied JSON Path expressions. CWE-94 (Improper Control of Generation of Code) occurs because static-eval was not designed as a security boundary for untrusted input. When processing JSON Path queries containing executable JavaScript constructs, the evaluation engine interprets and executes the code rather than treating it as data. The vulnerable code path is in lib/handlers.js (line 243 per references), where expression evaluation occurs without input validation or sandboxing. This architectural flaw affects all methods that traverse JSON objects using evaluated expressions, creating multiple attack surfaces across the API.

Affected ProductsAI

The vulnerability affects the jsonpath npm package versions prior to 1.2.0, used primarily in Node.js server environments and browser-based JavaScript applications. The package is also distributed through WebJars for Java ecosystems (org.webjars.npm:jsonpath, referenced in SNYK-JAVA-ORGWEBJARSNPM-15141219). Red Hat Enterprise Linux and related products incorporating this library are affected, as evidenced by RHSA-2026:6174, RHSA-2026:6308, RHSA-2026:6309, RHSA-2026:6404, and RHSA-2026:6802. SUSE Linux distributions are similarly affected per SUSE-SU-2026:1008, 1013, 1035, and 1148. The vulnerability impacts both server-side Node.js applications (RCE risk) and browser-based JavaScript (XSS risk) wherever untrusted JSON Path expressions are processed. Vendor advisories available at https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034 and respective Red Hat/SUSE advisory URLs.

RemediationAI

Upgrade to jsonpath version 1.2.0 or later, which addresses the arbitrary code injection vulnerability through commits 9631412641b7095f86840a7a45b5b3afc68b0fcb and b61111f07ac1a8d0f3133b5fc51438ecb76a6c39. For systems using Red Hat products, apply RHSA-2026:6174, 6308, 6309, 6404, or 6802 as appropriate for your platform. SUSE users should apply SUSE-SU-2026:1008, 1013, 1035, or 1148. If immediate patching is not feasible, implement strict input validation: whitelist only alphanumeric characters, dots, and brackets in JSON Path expressions, and reject any input containing parentheses, JavaScript operators, or function calls - this prevents expression evaluation but may break legitimate complex query functionality. Alternatively, isolate jsonpath execution in a sandboxed environment with restricted permissions, though this adds operational complexity and potential performance overhead. For browser contexts, implement Content Security Policy with 'unsafe-eval' prohibited to limit XSS impact, though this does not prevent server-side RCE and may conflict with other application requirements. Most effective mitigation: never pass user-controlled input directly to jsonpath query methods; instead, expose only predefined, application-controlled query templates.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
Container suse/manager/4.3/proxy-httpd:4.3.17.9.76.1 Affected
Container suse/manager/5.0/x86_64/server:latest Affected
Image SLES15-SP5-SAP-Azure-LI-BYOS Image SLES15-SP5-SAP-Azure-LI-BYOS-Production Image SLES15-SP5-SAP-Azure-VLI-BYOS Image SLES15-SP5-SAP-Azure-VLI-BYOS-Production Image SLES15-SP7-SAP-Azure-LI-BYOS-Production Image SLES15-SP7-SAP-Azure-VLI-BYOS-Production Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed

Share

CVE-2026-1615 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy