CVE-2026-54133
Description
JMESPath PHP library before 2.9.1 allows code injection via unescaped function names in CompilerRuntime, enabling RCE with a crafted expression.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
JMESPath PHP library before 2.9.1 allows code injection via unescaped function names in CompilerRuntime, enabling RCE with a crafted expression.
Vulnerability
The JMESPath PHP library (jmespath.php) prior to version 2.9.1 contains a code injection vulnerability in the JmesPath\CompilerRuntime component. When an application uses CompilerRuntime (or enables JP_PHP_COMPILE) to evaluate a JMESPath expression provided by an attacker, the compiler inserts parsed function names into generated PHP source code without proper escaping. A carefully crafted expression can cause the generated cache file to contain attacker-controlled PHP code, which is then loaded and executed by CompilerRuntime. The issue affects all versions before 2.9.1 [1].
Exploitation
An attacker must be able to supply a JMESPath expression to an application that uses JmesPath\CompilerRuntime or has JP_PHP_COMPILE enabled. The attacker crafts the expression to include a non-identifier value (e.g., a string containing PHP code) where the parser expects a function callee. The compiler writes this value into the generated PHP source without safely escaping it as a string literal. The generated source is written to the compiled-expression cache directory and then loaded by CompilerRuntime, which triggers execution of the injected PHP code. No authentication or user interaction beyond providing the expression is required [1].
Impact
Successful exploitation allows an attacker to execute arbitrary PHP code with the privileges of the PHP process. This can lead to full compromise of the application, including data theft, modification, or further server-side attacks. The impact is Remote Code Execution (RCE), affecting confidentiality, integrity, and availability [1].
Mitigation
The vulnerability is patched in version 2.9.1 and later [1]. As a workaround, disable JP_PHP_COMPILE and avoid using JmesPath\CompilerRuntime with attacker-controlled expressions; use the default AstRuntime for untrusted expressions. Applications that cannot upgrade immediately should ensure that untrusted JMESPath expressions are never evaluated by the compiler runtime. No EOL or KEV listing is noted [1].
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <2.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing escaping of JMESPath function names when emitting them into generated PHP source code allows injection of arbitrary PHP code."
Attack vector
An attacker supplies a crafted JMESPath expression containing a non-identifier value where the parser accepts a function callee. The `CompilerRuntime` writes that value directly into generated PHP source without escaping it as a string literal, causing the generated cache file to contain executable attacker-controlled PHP. When the runtime loads that cache file, the injected PHP executes with the privileges of the PHP process. The attacker must be able to influence the JMESPath expression string; the searched data document alone is insufficient. [ref_id=1]
Affected code
The vulnerability resides in `JmesPath\CompilerRuntime`, which emits parsed JMESPath function names into generated PHP source code without sufficient escaping. The compiler writes attacker-controlled values into the generated cache file, which is then loaded by the runtime. The default `AstRuntime` is not affected unless `JP_PHP_COMPILE` is explicitly enabled.
What the fix does
The patch in version 2.9.1 escapes function names properly when emitting them into the generated PHP source, preventing attacker-controlled values from being interpreted as PHP code. The advisory recommends upgrading to 2.9.1 or later. As a workaround, applications should disable `JP_PHP_COMPILE` and avoid using `JmesPath\CompilerRuntime` with untrusted expressions, falling back to the default `AstRuntime` which interprets the expression tree and is not vulnerable. [ref_id=1]
Preconditions
- configThe application must use JmesPath\CompilerRuntime or have JP_PHP_COMPILE enabled when evaluating JMESPath expressions.
- inputThe attacker must be able to supply or influence the JMESPath expression string.
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.