CVE-2026-1615

Description

### Impact **Arbitrary Code Injection (Remote Code Execution & XSS):** A critical security vulnerability affects **all versions** of the `jsonpath` package. The library relies on the `static-eval` module to evaluate JSON Path expressions but fails to properly sanitize or sandbox the input. This allows an attacker to inject arbitrary JavaScript code into the JSON Path expression. When the library evaluates this expression, the malicious code is executed. * **Node.js Environments:** This leads to **Remote Code Execution (RCE)**, allowing an attacker to compromise the server. * **Browser Environments:** This leads to **Cross-Site Scripting (XSS)**, allowing an attacker to hijack user sessions or exfiltrate data. **Affected Methods:** The vulnerability triggers when untrusted data is passed to any method that evaluates a path, including: * `jsonpath.query` * `jsonpath.nodes` * `jsonpath.paths` * `jsonpath.value` * `jsonpath.parent` * `jsonpath.apply` ### Patches **No Patch Available:** Currently, **all versions** of `jsonpath` are vulnerable. There is no known patched version of this package that resolves the issue while retaining the current architecture. **Recommendation:** Developers are strongly advised to **migrate to a secure alternative** (such as `jsonpath-plus` or similar libraries that do not use `eval`/`static-eval`) or strictly validate all JSON Path inputs against a known allowlist. ### Workarounds * **Strict Input Validation:** Ensure that no user-supplied data is ever passed directly to `jsonpath` functions. * **Sanitization:** If user input is unavoidable, implement a strict parser to reject any JSON Path expressions containing executable JavaScript syntax (e.g., parentheses `()`, script expressions `script:`, or function calls). ### Resources * [CVE-2026-1615](https://nvd.nist.gov/vuln/detail/CVE-2026-1615) * [Vulnerable Code in handlers.js](https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js#L243) * [Snyk Advisory (Java/WebJars)](https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15141219) * [Snyk Advisory (JS)](https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034)

How to fix CVE-2026-1615

To remediate CVE-2026-1615, upgrade the affected package to a fixed version below.

—upgrade to 1.3.0 or later

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

How to fix CVE-2026-1615

Is CVE-2026-1615 being exploited?

Affected packages (1)

CVSS scores

References (8)