CVE-2025-1302

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-1302

Severity

Unknown

Eliminate CVEs with Chainguard hardened images

Build, ship, and run secure software with minimal, hardened container images — rebuilt from source daily and guarded under our industry-leading remediation SLA.

Start for free

Description

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.

Note:

This is caused by an incomplete fix for CVE-2024-21534.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1302
https://github.com/advisories/GHSA-hw8r-x6gr-5gjp
https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456
https://github.com/JSONPath-Plus/JSONPath/blob/8e4acf8aff5f446aa66323e12394ac5615c3b260/src/Safe-Script.js%23L127
https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585
https://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24ee

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2025-1302

Severity

Description

References

Affected packages

The trusted source for open source

Product

Solutions

Customers

Resources

Company