CRITICAL🇵🇱 Wersja polska

CVE-2025-61140

CVSS 9.8v3.1pub. 2026-01-28upd. 2026-06-30

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.

🤖 AI Analysis
How it works

Prototype Pollution (CWE-1321) consists of the attacker's ability to modify the base prototype of a JavaScript object (Object.prototype) by passing crafted input data to a vulnerable function. In this case, the value() function in lib/index.js does not properly validate the keys of processed JSONPath expressions, allowing injection of properties such as '__proto__', 'constructor' or 'prototype'. Infected properties are inherited by all objects in the application, affecting its operation.

Impact

An attacker can modify the behavior of a Node.js application by overwriting global properties of JavaScript objects, which can result in unauthorized data disclosure, violation of application integrity, and in certain scenarios even remote code execution (RCE) or denial of service (DoS).

Mitigation & patch

Patches available from the manufacturer should be applied in accordance with the references. It is recommended to monitor the repository https://github.com/dchester/jsonpath to obtain an updated version of the library. As a temporary workaround, input data passed to the value() function should be validated and sanitized, and consideration should be given to using alternative JSONPath libraries.

Who is affected

Dchester Jsonpath library version 1.1.1 (lib/index.js file, value() function). Affects Node.js applications using this library.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Dchester Jsonpath

    APP
    Dchester
    1.1.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Deserialization
CWE
References