CVE-2024-21534: 
JavaScript vulnerability analysis and mitigation

The vulnerability CVE-2024-21534 affects all versions of the jsonpath-plus package, which is a JavaScript implementation of JSONPath with additional operators. This Remote Code Execution (RCE) vulnerability was discovered and disclosed on September 10, 2024, and stems from improper input sanitization that allows attackers to execute arbitrary code by exploiting the unsafe default usage of vm in Node (Snyk JS, NVD).

The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) with a CVSS v3.1 base score of 9.8 (Critical). Multiple attempts were made to fix the vulnerability in versions 10.0.0-10.1.0, but the fixes proved incomplete as the vulnerability could still be exploited using different payloads. The issue specifically relates to the unsafe default usage of the vm module in Node.js, which allows for code execution through improper input sanitization (GitHub Issue, Snyk Java).

The vulnerability has significant impact on system security, allowing attackers to execute arbitrary code on the affected system. The CVSS scoring indicates high impact on confidentiality, integrity, and availability. The attack can be performed remotely without requiring special conditions or user interaction (Snyk JS).

Users are recommended to upgrade jsonpath-plus to version 10.2.0 or higher, which contains the complete fix for this vulnerability. For users unable to upgrade immediately, there is currently no known workaround that maintains full functionality (Snyk JS).