Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wcHBnLWNwZnEtaDd3cs4ABAM3
JSONPath Plus Remote Code Execution (RCE) Vulnerability
Versions of the package jsonpath-plus before 10.0.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.
Note:
The unsafe behavior is still available after applying the fix but it is not turned on by default.
Permalink: https://github.com/advisories/GHSA-pppg-cpfq-h7wrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wcHBnLWNwZnEtaDd3cs4ABAM3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 4 days ago
Updated: 1 day ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-pppg-cpfq-h7wr, CVE-2024-21534
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-21534
- https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3
- https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884
- https://github.com/advisories/GHSA-pppg-cpfq-h7wr
Blast Radius: 42.8
Affected Packages
npm:jsonpath-plus
Dependent packages: 544Dependent repositories: 23,144
Downloads: 18,564,477 last month
Affected Version Ranges: < 10.0.0
Fixed in: 10.0.0
All affected versions: 0.12.0, 0.13.0, 0.13.1, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.18.1, 0.19.0, 0.20.0, 0.20.1, 1.0.0, 1.1.0, 2.0.0, 3.0.0, 4.0.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.1.0, 6.0.0, 6.0.1, 7.0.0, 7.1.0, 7.2.0, 8.0.0, 8.1.0, 9.0.0
All unaffected versions: 10.0.0