CVE-2025-1302

CRITICAL

CVSS v3

9.8

CRITICAL

EPSS Score

85.8%

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).

Technical Details

Published
2/15/2025

Frequently Asked Questions

What is CVE-2025-1302?

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).

Is CVE-2025-1302 actively exploited?

Active exploitation of CVE-2025-1302 has not been confirmed. The EPSS score is 85.8%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2025-1302?

CVE-2025-1302 has a CVSS v3 base score of 9.8 (CRITICAL severity).

Is CVE-2025-1302 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.