Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-1615

jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions
Back to all
CVE

CVE-2026-1615

jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions

Impact

Arbitrary Code Injection (Remote Code Execution & XSS):

A critical security vulnerability affects all versions of the jsonpath package. The library relies on the static-eval module to evaluate JSON Path expressions but fails to properly sanitize or sandbox the input.

This allows an attacker to inject arbitrary JavaScript code into the JSON Path expression. When the library evaluates this expression, the malicious code is executed.

  • Node.js Environments: This leads to Remote Code Execution (RCE), allowing an attacker to compromise the server.
  • Browser Environments: This leads to Cross-Site Scripting (XSS), allowing an attacker to hijack user sessions or exfiltrate data.

Affected Methods:

The vulnerability triggers when untrusted data is passed to any method that evaluates a path, including:

  • jsonpath.query
  • jsonpath.nodes
  • jsonpath.paths
  • jsonpath.value
  • jsonpath.parent
  • jsonpath.apply

Patches

No Patch Available:

Currently, all versions of jsonpath are vulnerable. There is no known patched version of this package that resolves the issue while retaining the current architecture.

Recommendation:

Developers are strongly advised to migrate to a secure alternative (such as jsonpath-plus or similar libraries that do not use eval/static-eval) or strictly validate all JSON Path inputs against a known allowlist.

Workarounds

  • Strict Input Validation: Ensure that no user-supplied data is ever passed directly to jsonpath functions.
  • Sanitization: If user input is unavoidable, implement a strict parser to reject any JSON Path expressions containing executable JavaScript syntax (e.g., parentheses (), script expressions script:, or function calls).

Resources

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
9.2
-
4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
9.8
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Related Resources

No items found.

References

https://nvd.nist.gov/vuln/detail/CVE-2026-1615, https://github.com/dchester/jsonpath, https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js#L243, https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15141219, https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034

Severity

9.8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.8
EPSS Probability
0.00094%
EPSS Percentile
0.26444%
Introduced Version
0,0.1.2
Fix Available
1.2.1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading