Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
Warning: High Code Injection Vulnerability In The Javascript Library Jsonpath-Plus Can Be Exploited Remotely, Patch Immediately!
Image
Veröffentlicht : 27/02/2025
Reference:
Advisory #2025-45
Version:
1.0
Affected software:
JavaScript library jsonpath-plus version earlier than 10.3.0
Type:
Code Injection – Improper Control of Generation of code; Remote Code Execution (RCE)
CVE/CVSS:
CVE-2025-1302: CVSS 8.9 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-1302
Risks
Jsonpath-plus is a JavaScript library that extends the implementation of JSONPath and adds support for advanced query expressions, filters, and scripting using JavaScript, allowing for more powerful and flexible JSON data extraction. It is widely used in JavaScript-based applications (Node.js, browser-side apps) to manage data and facilitate interaction with APIs and any other services that use data in the JSON format.
It is unknown if this vulnerability is actively exploited as of 27/02/2025. However, there is a Proof of Concept available, which increases the chances of exploitation.
Exploitation of this vulnerability can allow attackers to inject and execute arbitrary code, which can lead to Remote Code Execution (RCE), privilege escalation, and server-side exploitation.
CVE-2025-1302 is linked to an incomplete fix for an older vulnerability (CVE-2024-21534), which also leads to Remote Code Execution (RCE) because of lack of proper input sanitization.
Exploitation of this vulnerability can have a high impact in all 3 aspects of the CIA triad (Confidentiality, Integrity, Availability).
Description
A network-based threat actor could exploit this vulnerability to execute arbitrary code using the unsafe default eval='safe' mode, which was initially designed to enable controlled evaluation of JSONPath expressions.
Attackers can take control over critical infrastructure and fully compromise them because jsonpath-plus is used in web applications (APIs) and backend services, which can lead to them accessing sensitive data. Specifically, regarding the API section, the attacker could potentially affect and take control of any system that interacts with the compromised system.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
According to Snyk Security this vulnerability is fixed at the version 10.3.0 or later.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
SNYK Security: https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585
JSONPath-Plus Github: https://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24ee
NIST linked vulnerability: https://nvd.nist.gov/vuln/detail/cve-2024-21534