npm package
jsonpath
pkg:npm/jsonpath
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-1615 | Cri | 9.8 | < 1.3.0 | 1.3.0 | Feb 9, 2026 | Versions of the package jsonpath before 1.3.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. A | |
| CVE-2025-61140 | — | < 1.2.0 | 1.2.0 | Jan 28, 2026 | The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution. |
- affected < 1.3.0fixed 1.3.0
Versions of the package jsonpath before 1.3.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. A
- CVE-2025-61140Jan 28, 2026affected < 1.2.0fixed 1.2.0
The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.