CGA-fmpv-496h-78mc

Published

Last updated

https://images.chainguard.dev/security/CGA-fmpv-496h-78mc

Package

kubeflow-pipelines

RepositoryWolfi

Latest Update

Pending upstream fix

Aliases

CVE-2025-1302
GHSA-hw8r-x6gr-5gjp

Severity

Unknown

Summary

JSONPath Plus allows Remote Code Execution

Description

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.

Note:

This is caused by an incomplete fix for CVE-2024-21534.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1302
https://github.com/advisories/GHSA-hw8r-x6gr-5gjp
https://nvd.nist.gov/vuln/detail/CVE-2024-21534
https://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24ee
https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456
https://github.com/JSONPath-Plus/JSONPath
https://github.com/JSONPath-Plus/JSONPath/blob/8e4acf8aff5f446aa66323e12394ac5615c3b260/src/Safe-Script.js#L127
https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Media Kit Contact Us

Private Policy

CGA-fmpv-496h-78mc

Severity

Summary

Description

References

Updates

Products

Why Chainguard

Customers

Company

Resources