CVE-2025-1302

CRITICAL EXPLOITED NUCLEI

jsonpath-plus < 10.3.0 - Remote Code Execution via Unsafe Eval Mode

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-1302 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including EQSTLab, abrewer251, dbwlsdnr95. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional PoC exploit for CVE-2025-1302, targeting a Remote Code Execution (RCE) vulnerability in jsonpath-plus versions before 10.3.0. The exploit leverages improper input sanitization to execute arbitrary commands via a crafted JSONPath expression, resulting in a reverse shell.

Description

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).

Exploits (3)

nomisec WORKING POC 19 stars
by EQSTLab · remote
https://github.com/EQSTLab/CVE-2025-1302

This repository contains a functional PoC exploit for CVE-2025-1302, targeting a Remote Code Execution (RCE) vulnerability in jsonpath-plus versions before 10.3.0. The exploit leverages improper input sanitization to execute arbitrary commands via a crafted JSONPath expression, resulting in a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: jsonpath-plus < 10.3.0
No auth needed
Prerequisites: Network access to the target application · A listener set up for the reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by abrewer251 · remote
https://github.com/abrewer251/CVE-2025-1302_jsonpath-plus_RCE

This repository contains a functional proof-of-concept exploit for CVE-2025-1302, targeting a remote code execution vulnerability in the `jsonpath-plus` library. The PoC script sends crafted JSONPath payloads via HTTP POST/GET requests to trigger RCE and establish a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: jsonpath-plus library
No auth needed
Prerequisites: Vulnerable `jsonpath-plus` library in use by the target service · Network access to the target endpoint · Attacker-controlled listener for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by dbwlsdnr95 · poc
https://github.com/dbwlsdnr95/CVE-2025-1302

This repository contains a functional PoC for CVE-2025-1302, demonstrating an RCE vulnerability in jsonpath-plus < 10.3.0 via eval injection bypass using array notation. The exploit leverages a vulnerable Express server to execute arbitrary commands through crafted JSONPath queries.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: jsonpath-plus < 10.3.0
No auth needed
Prerequisites: Node.js environment · jsonpath-plus version < 10.3.0
devstral-2 · analyzed Feb 27, 2026 Full analysis →

Nuclei Templates (1)

JSONPath Plus < 10.3.0 - Remote Code Execution
CRITICALVERIFIEDby Jaenact

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.9081
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

VulnCheck KEV 2025-11-19
CWE
CWE-94
Status published
Products (2)
n/a/jsonpath-plus < 10.3.0
npm/jsonpath-plus 0 - 10.3.0npm
Published Feb 15, 2025
Tracked Since Feb 18, 2026