CVE-2025-1302: 
JavaScript vulnerability analysis and mitigation

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. The vulnerability was discovered on January 10, 2025, and publicly disclosed on February 14, 2025. This issue exists as a result of an incomplete fix for a previous vulnerability (CVE-2024-21534) (NVD, Snyk).

The vulnerability allows attackers to execute arbitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. The issue stems from improper handling of non-string property names in the AST evaluator, where the blacklist protection can be bypassed by passing a prop value that is not a string but will be converted to a string containing a forbidden value when toString() is implicitly called during evaluation (GitHub Gist).

The vulnerability can lead to Remote Code Execution (RCE) in server-side contexts where calls to JSONPath() are made with paths constructed from user input. In client-side contexts, this can result in Cross-Site Scripting (XSS) attacks. The vulnerability has been assigned a critical severity rating with significant impact on confidentiality, integrity, and availability (Snyk).

Users should upgrade jsonpath-plus to version 10.3.0 or higher, which contains the fix for this vulnerability. The fix involves proper handling of non-string property names in the AST evaluator (Snyk).