jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP applications with PHP data structures. Versions prior to 2.9.1 can generate and execute attacker-controlled PHP code when `JmesPath\CompilerRuntime` is used with an attacker-controlled JMESPath expression. The compiler emits parsed JMESPath function names into generated PHP source without sufficient escaping. A crafted expression can cause the generated cache file to contain executable attacker-controlled PHP, which is then loaded by the compiler runtime. The issue is patched in `2.9.1` and later. As a workaround, disable `JP_PHP_COMPILE` and do not use `JmesPath\CompilerRuntime` with attacker-controlled expressions. Use the default `AstRuntime` for untrusted expressions. Applications that must continue accepting untrusted JMESPath expressions before upgrading should ensure those expressions are never evaluated by the compiler runtime.
The `JmesPath\CompilerRuntime` component processes JMESPath expressions and generates cache files in the form of PHP code. JMESPath function names from the parsed expression are inserted into the generated PHP source without sufficient escaping (CWE-116, CWE-20). An attacker can craft a malicious JMESPath expression containing PHP code that will be embedded directly in the cache file. The generated cache file is then loaded and executed by CompilerRuntime, leading to execution of PHP code controlled by the attacker (CWE-94).
An attacker can gain full control over the server through remote execution of arbitrary PHP code (RCE), which may result in violation of confidentiality, integrity, and availability of the system.
Update the jmespath.php library to version 2.9.1 or later, where the issue has been fixed. As a workaround before updating: disable the `JP_PHP_COMPILE` flag, do not use `JmesPath\CompilerRuntime` with user-controlled expressions, and replace it with the default `AstRuntime` component for all untrusted expressions.
The jmespath.php library in versions prior to 2.9.1, only when the application uses the `JmesPath\CompilerRuntime` component and it processes JMESPath expressions from untrusted users.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HJmespath
APPJmespath< 2.9.1