CVE-2025-1302
CRITICALCVSS v3
9.8
CRITICAL
EPSS Score
85.8%
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).
Technical Details
- Published
- 2/15/2025
Frequently Asked Questions
What is CVE-2025-1302?
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).
Is CVE-2025-1302 actively exploited?
Active exploitation of CVE-2025-1302 has not been confirmed. The EPSS score is 85.8%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2025-1302?
CVE-2025-1302 has a CVSS v3 base score of 9.8 (CRITICAL severity).
Is CVE-2025-1302 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.