CVE-2025-1302
JSONPath Plus allows Remote Code Execution
9.8
CRITICAL
CVSS 3.1
EPSS 89.9%
Description
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for CVE-2024-21534.
How to fix CVE-2025-1302
To remediate CVE-2025-1302, upgrade the affected package to a fixed version below.
- —upgrade to 10.3.0 or later
Is CVE-2025-1302 being exploited?
Likely — EPSS is 89.9%, placing CVE-2025-1302 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (1)
- from 0, < 10.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |