JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution...

GHSA-6C59-MWGH-R2X6 JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution...

3d-tiles-tools (>=0.1.0 <=0.1.3), 7ghost (>=4.11.0 <=4.11.46) +535 more potentially affected by CVE-2025-61140 via jsonpath (>=0.1.3 <=1.1.1)

jsonpath NPM version =0.1.3, =0.1.0, =4.11.0, =0.0.11, =0.6.0, =0.82.10-20200221024018, =0.1.27, =1.0.0, =2.0.15, =1.0.2, =1.0.0, =1.1.0, =3.0.6371, =4.0.2, =2.0.4, =2.1.27 and more Source cves: CVE-2025-61140 Source advisory: OSV:GHSA-6C59-MWGH-R2X6...

CVE-2025-61140

A flaw was found in jsonpath. The value function is vulnerable to Prototype Pollution, a type of vulnerability that allows an attacker to inject or modify properties of an object's prototype. This can lead to various impacts, including arbitrary code execution, privilege escalation, or denial of...

Prototype Pollution

Overview jsonpath is a Query JavaScript objects with JSONPath expressions. Robust / safe JSONPath engine for Node.js. Affected versions of this package are vulnerable to Prototype Pollution via the value function. An attacker can modify the prototype of built-in objects by supplying crafted input...

Prototype Pollution

Overview org.webjars.npm:jsonpath is a Query JavaScript objects with JSONPath expressions. Robust / safe JSONPath engine for Node.js. Affected versions of this package are vulnerable to Prototype Pollution via the value function. An attacker can modify the prototype of built-in objects by supplyi...

7ghost (>=4.11.0 <=4.11.46), @accordproject/concerto-ui-react (>=0.6.0 <=0.83.1-20200224151908) +269 more potentially affected by CVE-2025-61140 via jsonpath (>=1.0.0 <=1.1.1)

jsonpath NPM version =1.0.0, =4.11.0, =0.6.0, =0.82.10-20200221024018, =1.0.0, =1.1.0, =3.0.6371, =4.0.2, =2.0.4, =0.2.0, =4.0.149, =3.0.129, =4.0.174, =0.11.8, =1.2.5, =1.4.0 and more Source cves: CVE-2025-61140 Source advisory: SNYK:JS-JSONPATH-15134429...

CVE-2025-61140

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution...

CVE-2025-61140

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution...

PT-2026-5135

Name of the Vulnerable Software and Affected Versions jsonpath version 1.1.1 Description The value function in jsonpath lib/index.js is susceptible to Prototype Pollution. This allows for modification of the prototype of JavaScript objects, potentially leading to unexpected behavior or code...

EUVD-2025-206486

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution...

CVE-2025-61140

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution...

CVE-2025-61140

The CVE-2025-61140 entry concerns jsonpath version 1.1.1, where the value function in lib/index.js is vulnerable to Prototype Pollution. This is documented across multiple sources (GitHub advisory, OSV/NVD entries, and Red Hat advisories) and is categorized with a critical CVSS score. The vulnera...

CVE-2025-61140

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution...

JSONPath security vulnerabilities

JSONPath is a JSONPath engine developed by David Chester as an individual contributor. There is a security vulnerability in the 1.1.1 version of JSONPath, which stems from prototype pollution in the value function...

CVE-2025-61140

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution...

📄 JSONPath Plus Remote Code Execution

This Metasploit module exploits a remote code execution vulnerability in JSONPath Plus library versions prior to 10.3.0 The vulnerability allows arbitrary JavaScript code execution through malicious JSONPath expressions...

VulnCheck KEV: CVE-2025-1302

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution RCE due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. Note: This is caused by an incomplete fix for...

EUVD-2024-42301

Malicious code in bioql PyPI...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in jsonpath-plus-10.2.0.tgz

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of jsonpath-plus-10.2.0.tgz Vulnerability Details CVEID:CVE-2025-1302 DESCRIPTION: Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution RCE due to improper input sanitization. An attacke...