CVE-2024-21534

CRITICAL

jsonpath-plus < 10.2.0 - Remote Code Execution via Unsafe vm Usage

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2024-21534. PoCs published by verylazytech, pabloopez, BohemianHacks.

AI-analyzed exploit summary The repository contains a functional exploit script for CVE-2024-21534, targeting the jsonpath-plus package's improper input sanitization leading to RCE via Node.js vm module misuse. The script crafts a malicious JSON payload to execute a reverse shell.

Description

All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).

Exploits (3)

nomisec WORKING POC 5 stars
by verylazytech · poc
https://github.com/verylazytech/cve-2024-21534

The repository contains a functional exploit script for CVE-2024-21534, targeting the jsonpath-plus package's improper input sanitization leading to RCE via Node.js vm module misuse. The script crafts a malicious JSON payload to execute a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: jsonpath-plus < 10.2.0
No auth needed
Prerequisites: Target must use jsonpath-plus < 10.2.0 · Attacker-controlled listener (netcat)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by pabloopez · poc
https://github.com/pabloopez/CVE-2024-21534

This repository contains a functional PoC for CVE-2024-21534, demonstrating RCE in `jsonpath-plus` (<=10.0.7) via unsafe VM module usage in Node.js. The exploit leverages improper input sanitization to execute arbitrary code, with Dockerized setup for reproduction.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: jsonpath-plus (<=10.0.7)
No auth needed
Prerequisites: Docker · Node.js environment with vulnerable `jsonpath-plus` version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by BohemianHacks · poc
https://github.com/BohemianHacks/CVE-2024-21534-poc

This repository contains a functional PoC for CVE-2024-21534, demonstrating RCE in the `jsonpath-plus` package (versions <= 10.0.7) via unsafe evaluation in Node.js's VM module. The exploit includes a vulnerable Express server and a curling app to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: jsonpath-plus <= 10.0.7
No auth needed
Prerequisites: Node.js environment with vulnerable `jsonpath-plus` version · Network access to the target server
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.9271
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-94
Status published
Products (4)
n/a/jsonpath-plus
n/a/org.webjars.npm:jsonpath-plus
npm/jsonpath-plus 0 - 10.2.0npm
org.webjars.npm/jsonpath-plus 0Maven
Published Oct 11, 2024
Tracked Since Feb 18, 2026