Fluid Attacks Database

Description

JSONPath Plus allows Remote Code Execution Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.

Note:

This is caused by an incomplete fix for CVE-2024-21534.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	jsonpath-plus	>=0 <10.3.0	10.3.0

Aliases

1. CVE-2025-13022. NVD-2024-215343. NVD-2025-13024. OSV-2025-13025. GCVE-2025-1302

References

1. https://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24ee2. https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db64563. https://github.com/JSONPath-Plus/JSONPath/blob/8e4acf8aff5f446aa66323e12394ac5615c3b260/src/Safe-Script.js#L1274. https://vulncheck.com/cve/CVE-2025-13025. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-1302.yaml6. https://github.com/EQSTLab/CVE-2025-1302

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.