CVE-2026-1615 (Critical) detected in jsonpath-1.2.1.tgz #285
Description
CVE-2026-1615 - Critical Severity Vulnerability
Vulnerable Library - jsonpath-1.2.1.tgz
Query JavaScript objects with JSONPath expressions. Robust / safe JSONPath engine for Node.js.
Library home page: https://registry.npmjs.org/jsonpath/-/jsonpath-1.2.1.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/node_modules/.pnpm/jsonpath@1.2.1/node_modules/jsonpath/package.json
Dependency Hierarchy:
- @postgres.ai/ce-4.0.3.tgz (Root Library)
- react-scripts-5.0.1.tgz
- bfj-7.1.0.tgz
- ❌ jsonpath-1.2.1.tgz (Vulnerable Library)
- bfj-7.1.0.tgz
- react-scripts-5.0.1.tgz
Found in base branch: master
Vulnerability Details
Affected versions of the package jsonpath are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-02-09
URL: CVE-2026-1615
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Step up your Open Source Security Game with Mend here