Vulnerability Description
All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0
- https://github.com/JSONPath-Plus/JSONPath/issues/226
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019
- https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884
FAQ
What is CVE-2024-21534?
CVE-2024-21534 is a vulnerability with a CVSS score of 9.8 (CRITICAL). All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsa...
How severe is CVE-2024-21534?
CVE-2024-21534 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-21534?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.