Description
Versions of the package jsonpath before 1.3.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.
Published: 2026-02-09
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability allows a malicious actor to supply a crafted JSON Path expression that is processed by the library’s static-eval module, resulting in uncontrolled execution of JavaScript code. The flaw can lead to Remote Code Execution in a Node.js environment or Cross‑Site Scripting when the library runs in a browser, because the library evaluates the expression without sanitizing user input. The weakness is identified as a Code Injection (CWE‑94).

Affected Systems

The issue affects the npm package "jsonpath" and the corresponding Webjars NPM variant "org.webjars.npm:jsonpath" for all releases prior to version 1.3.0. Any project that imports this library and uses its query, nodes, paths, value, parent, or apply methods is potentially exposed.

Risk and Exploitability

With a CVSS score of 9.2, the vulnerability poses a high severity risk. Exploitation likelihood is low as indicated by an EPSS score below 1%, and it is not yet listed in the CISA KEV catalog. Nonetheless, if the application accepts untrusted data for JSON Path evaluation, an attacker can trigger the unsafe evaluation, either from a remote request or local code, achieving arbitrary code execution. The attack vector is inferred to be remote or local depending on whether the library processes user‑supplied input.

Generated by OpenCVE AI on April 15, 2026 at 21:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the jsonpath dependency to version 1.3.0 or later where the unsafe static evaluation has been removed.
  • If an upgrade is not immediately possible, eliminate or isolate any usage of the unsafe evaluation functions (.query, .nodes, .paths, .value, .parent, .apply) and replace them with safe alternatives or custom validation that rejects potentially harmful expressions.
  • Apply an environment restriction or code review that prevents untrusted JSON Path expressions from being evaluated in production deployments.

Generated by OpenCVE AI on April 15, 2026 at 21:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-87r5-mp6g-5w5j jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions
History

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Versions of the package jsonpath before 1.2.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply. Versions of the package jsonpath before 1.3.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.
References

Mon, 23 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
Description Versions of the package jsonpath from 0.0.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply. Versions of the package jsonpath before 1.2.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.
References

Sun, 22 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
References

Sun, 22 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
Description Versions of the package jsonpath before 1.2.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply. Versions of the package jsonpath from 0.0.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.

Tue, 17 Feb 2026 13:45:00 +0000

Type Values Removed Values Added
Description All versions of the package jsonpath are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply. Versions of the package jsonpath before 1.2.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.
References

Tue, 10 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Title jsonpath: jsonpath: Arbitrary Code Execution via unsafe JSON Path expression evaluation
References
Metrics threat_severity

None

 threat_severity

Critical

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Dchester
Dchester jsonpath
Vendors & Products Dchester
Dchester jsonpath

Mon, 09 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Description All versions of the package jsonpath are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Dchester Jsonpath
cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-04-07T13:08:50.705Z

Reserved: 2026-01-29T13:07:32.703Z

Link: CVE-2026-1615

cve-icon Vulnrichment

Updated: 2026-02-09T16:07:29.695Z

cve-icon NVD

Status : Deferred

Published: 2026-02-09T05:16:24.353

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-1615

cve-icon Redhat

Severity : Critical

Publid Date: 2026-02-09T05:00:09Z

Links: CVE-2026-1615 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:30:13Z

Weaknesses