CVE-2025-1302

CRITICAL EXPLOITED NUCLEI

NPM Jsonpath-plus < 10.3.0 - Code Injection

Title source: rule

Description

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).

Exploits (3)

nomisec WORKING POC 19 stars

by EQSTLab · remote

https://github.com/EQSTLab/CVE-2025-1302

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by abrewer251 · remote

https://github.com/abrewer251/CVE-2025-1302_jsonpath-plus_RCE

View Code ZIP pw:eip

nomisec WORKING POC

by dbwlsdnr95 · poc

https://github.com/dbwlsdnr95/CVE-2025-1302

View Code ZIP pw:eip

Nuclei Templates (1)

JSONPath Plus < 10.3.0 - Remote Code Execution

CRITICALVERIFIEDby Jaenact

References (4)

[Various Sources] https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456

[Various Sources] https://github.com/JSONPath-Plus/JSONPath/blob/8e4acf8aff5f446aa66323e12394ac5615c3b260/src/Safe-Script.js%23L127

[Patch] https://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24ee

[Third Party Advisory] https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585

Scores

CVSS v3 9.8

EPSS 0.8909

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2025-11-19

CWE

CWE-94

Status published

Products (2)

n/a/jsonpath-plus < 10.3.0

npm/jsonpath-plus 0 - 10.3.0npm

Published Feb 15, 2025

Tracked Since Feb 18, 2026