CVE-2024-21534

CRITICAL

NPM Jsonpath-plus < 10.2.0 - Code Injection

Title source: rule

Description

All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).

Exploits (4)

nomisec WORKING POC 5 stars

by verylazytech · poc

https://github.com/verylazytech/cve-2024-21534

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by pabloopez · poc

https://github.com/pabloopez/CVE-2024-21534

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by BohemianHacks · poc

https://github.com/BohemianHacks/CVE-2024-21534-poc

View Code ZIP pw:eip

inthewild

poc

https://github.com/xiaomingx/cve-2024-21534-poc

View on inthewild

References (4)

[Various Sources] https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0

[Issue Tracking] https://github.com/JSONPath-Plus/JSONPath/issues/226

[Third Party Advisory] https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019

[Third Party Advisory] https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884

Scores

CVSS v3 9.8

EPSS 0.9271

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (4)

n/a/jsonpath-plus

n/a/org.webjars.npm:jsonpath-plus

npm/jsonpath-plus 0 - 10.2.0npm

org.webjars.npm/jsonpath-plus 0Maven

Published Oct 11, 2024

Tracked Since Feb 18, 2026