CVE-2026-54133: 
NixOS 취약성 분석 및 완화

CVE-2026-54133 is a code injection vulnerability in jmespath.php (the PHP implementation of JMESPath) that allows unauthenticated remote attackers to execute arbitrary PHP code. It affects all versions of the mtdowling/jmespath.php Composer package prior to 2.9.1. The vulnerability was published on June 12, 2026, with the security advisory authored by GrahamCampbell and credited to reporter edorian. It carries a CVSS v3.1 base score of 9.8 (Critical) (GitHub Advisory).

The root cause is improper encoding of output (CWE-116) combined with code injection (CWE-94) and insufficient input validation (CWE-20). When JmesPath\CompilerRuntime processes a JMESPath expression, it emits parsed function names directly into generated PHP source code without safely escaping them as PHP string literals. An attacker who can supply a crafted JMESPath expression — using a non-identifier value where the parser accepts a function callee — can inject arbitrary PHP into the generated cache file, which is subsequently loaded and executed by the compiler runtime. The vulnerability is only triggered when JmesPath\CompilerRuntime is used directly, or when JmesPath\search() is called with the JP_PHP_COMPILE environment variable enabled; the default AstRuntime interprets the parsed expression tree and is not affected (GitHub Advisory).

Successful exploitation allows an unauthenticated attacker to execute arbitrary PHP code with the full privileges of the PHP application process, resulting in high confidentiality, integrity, and availability impact. An attacker could read sensitive application data and credentials, modify or delete data, deploy web shells for persistent access, or pivot laterally within the hosting environment. The attack requires only the ability to influence the JMESPath expression string passed to the vulnerable runtime — the data document being searched is not sufficient on its own (GitHub Advisory, Feedly).

1. Identify target applications: Locate PHP applications that accept user-supplied JMESPath expressions and use JmesPath\CompilerRuntime or have JP_PHP_COMPILE enabled (e.g., via Composer dependency analysis or application behavior fingerprinting).
2. Craft a malicious JMESPath expression: Construct an expression that places attacker-controlled content where the parser expects a function callee name — for example, embedding PHP code such as <?php system($_GET['cmd']); ?> in a position that will be written unescaped into the generated PHP cache file.
3. Submit the expression: Send the crafted expression to the application endpoint that evaluates JMESPath queries (e.g., via an HTTP request parameter, API call, or form field).
4. Trigger cache file generation: The CompilerRuntime processes the expression, writes the generated PHP (containing the injected payload) to the compiled-expression cache directory on disk.
5. Execute injected code: The runtime loads the generated cache file, causing the injected PHP to execute in the context of the application process, granting the attacker arbitrary code execution with the privileges of the web server user (GitHub Advisory).

• File System: Unexpected or malformed .php files in the jmespath compiled-expression cache directory containing PHP tags (<?php) or suspicious function calls (system(), exec(), passthru(), shell_exec(), eval()).
• File System: New web shells or backdoor scripts created in the web root or application directories by the PHP process.
• Logs: Application or web server access logs showing requests with unusual JMESPath expression strings containing PHP syntax characters (<?, ?>, system, exec) in query parameters or request bodies.
• Process: Unexpected child processes spawned by the PHP-FPM or web server process (e.g., sh, bash, curl, wget, python) following JMESPath query requests.
• Network: Outbound connections from the web server to unknown external IPs, particularly following requests that include JMESPath expressions in user input.

Upgrade mtdowling/jmespath.php to version 2.9.1 or later, which patches the issue by properly escaping function names emitted into generated PHP source. If an immediate upgrade is not possible, disable the JP_PHP_COMPILE environment variable and avoid instantiating JmesPath\CompilerRuntime with any attacker-controlled input. Applications should use the default AstRuntime (via JmesPath\search() without JP_PHP_COMPILE) for all untrusted JMESPath expressions, as it interprets the parsed expression tree and is not affected by this vulnerability (GitHub Advisory).

The vulnerability was published by GrahamCampbell via the GitHub Security Advisory program on June 11–12, 2026, with reporter credit to edorian. It was subsequently picked up by automated vulnerability tracking services including VulnDB, OSV, ENISA EUVD, and CISA's weekly bulletin (SB26-166). Red Hat also acknowledged the CVE in their security tracking. Social media activity on Bluesky noted the disclosure, but no significant researcher commentary or broader media coverage has been identified beyond standard vulnerability aggregation (GitHub Advisory, CISA Bulletin).