Fluid Attacks Database

Description

JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	jsonpath	>=0 <1.2.0	1.2.0

Aliases

1. CVE-2025-611402. NVD-2025-611403. OSV-2025-611404. GCVE-2025-61140

References

1. https://github.com/dchester/jsonpath/issues/1812. https://github.com/dchester/jsonpath/issues/1943. https://github.com/dchester/jsonpath/pull/1954. https://github.com/dchester/jsonpath/commit/9631412641b7095f86840a7a45b5b3afc68b0fcb5. https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.