jsonpath-plus < 10.3.0 is vulnerable to Remote Code Execution

[sdecalom]

There is a vulnerability in the jsonpath-plus used in serverless-offline. This package are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. Could the package be updated to version 10.3.0 ?

Ref:
https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585

[sarah-wooten]

This is a concern I have as well

[tstackhouse]

The latest version of this plugin has a fix for this CVE, however all 14.x versions now require Serverless 4, so those of us still using Serverless 3 appear to have no recourse... Are there any plans to backport the fix to 13.x?