Executive Summary

CVE-2026-1615 is an Arbitrary Code Injection vulnerability affecting the jsonpath package, which is used to query JavaScript objects with JSONPath expressions in Node.js environments.

The vulnerability arises because the package relies on the static-eval module to process JSONPath input, which is not designed to safely handle untrusted data.

An attacker can exploit this by supplying a malicious JSONPath expression that, when evaluated, executes arbitrary JavaScript code.

This can lead to Remote Code Execution (RCE) in Node.js environments or Cross-site Scripting (XSS) attacks in browser contexts.

All methods that evaluate JSONPath expressions against objects, including .query, .nodes, .paths, .value, .parent, and .apply, are affected.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including Remote Code Execution (RCE) in Node.js environments, allowing attackers to execute arbitrary code on the affected system.

In browser contexts, it can lead to Cross-site Scripting (XSS) attacks, which can compromise user data and session integrity.

The vulnerability affects confidentiality, integrity, and availability of the affected systems, posing a high security risk.

The attack can be performed remotely over the network without requiring any privileges or user interaction, making it easier for attackers to exploit.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability affects all versions of the jsonpath package used in Node.js environments. Detection involves analyzing your applications and dependencies to identify if the vulnerable jsonpath package is in use.'}, {'type': 'paragraph', 'content': "You can detect the presence of the vulnerable package by checking your project's dependencies. For example, in a Node.js project, you can run the following command to see if jsonpath is installed:"}, {'type': 'list_item', 'content': 'npm ls jsonpath'}, {'type': 'paragraph', 'content': 'If jsonpath appears in the dependency tree, it indicates potential exposure to this vulnerability.'}, {'type': 'paragraph', 'content': 'Additionally, you can search your codebase for usage of jsonpath methods that evaluate JSONPath expressions, such as `.query`, `.nodes`, `.paths`, `.value`, `.parent`, and `.apply`, since these are the vulnerable points.'}, {'type': 'paragraph', 'content': 'There are no specific network detection commands provided, but monitoring for suspicious JSONPath expressions or unexpected JavaScript code execution in logs or runtime behavior may help identify exploitation attempts.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

Since there is currently no fixed version of the jsonpath package addressing this vulnerability, immediate mitigation steps focus on reducing exposure and risk.

• Avoid evaluating untrusted or user-supplied JSONPath expressions in your applications.
• Implement input validation and sanitization to prevent malicious JSONPath expressions from being processed.
• Review and restrict access to APIs or interfaces that accept JSONPath input to trusted users or systems only.
• Monitor application logs and runtime behavior for signs of arbitrary code execution or unusual activity.

Consider using security tools like Snyk to analyze your applications for usage of the vulnerable package and follow their recommended mitigations.

Plan to update or replace the jsonpath package once a fixed version becomes available.

Useful 0 Not Useful 0