CVE-2025-61140

[ssudame2]

CVE ID: CVE-2025-61140

Severity: Critical
CVSS 3 Score: 9.8
CVSS 2 Score: 9.8
Date Modified: 28-01-2026

CVE-2025-61140

PRODUCT: jsonpath 1.1.1
PROBLEM TYPE: Prototype Pollution
DESCRIPTION:
The Node.js package jsonpath 1.1.1 contains a Prototype Pollution vulnerability. This occurs because the library does not properly sanitize or validate special object keys (such as proto, constructor, or prototype) within path expressions in lib/index.js. An attacker can exploit this via methods like value() function to modify the global Object.prototype.

Source: https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d

Currently, there's no new version updated for jsonpath, since the last release was 5 years ago. Is there any new upcoming version for this library? If so, by when will it be available?

[ssudame2]

@dchester I have made a PR to address the solution here. #195

[Dremig]

Thanks for putting together this patch! It’s rewarding to see the issue being fixed. The approach looks solid.

[CrazyCatViking]

What is the status for getting a fix for this merged, and a new version released?

[ssudame2]

Awaiting the response from the owner @dchester for the same

[yasin2dev]

Hi, we waiting for the new version with merge. thanks.