Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN194 _____________________________________________________________________ DATE : 19/02/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running jsonpath (npm). ===================================================================== https://github.com/advisories/GHSA-87r5-mp6g-5w5j _____________________________________________________________________ jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions High severity GitHub Reviewed Published Feb 9, 2026 to the GitHub Advisory Database • Updated Feb 17, 2026 Vulnerability details Package jsonpath (npm) Affected versions <= 1.2.1 Patched versions None Description Impact Arbitrary Code Injection (Remote Code Execution & XSS): A critical security vulnerability affects all versions of the jsonpath package. The library relies on the static-eval module to evaluate JSON Path expressions but fails to properly sanitize or sandbox the input. This allows an attacker to inject arbitrary JavaScript code into the JSON Path expression. When the library evaluates this expression, the malicious code is executed. Node.js Environments: This leads to Remote Code Execution (RCE), allowing an attacker to compromise the server. Browser Environments: This leads to Cross-Site Scripting (XSS), allowing an attacker to hijack user sessions or exfiltrate data. Affected Methods: The vulnerability triggers when untrusted data is passed to any method that evaluates a path, including: jsonpath.query jsonpath.nodes jsonpath.paths jsonpath.value jsonpath.parent jsonpath.apply Patches No Patch Available: Currently, all versions of jsonpath are vulnerable. There is no known patched version of this package that resolves the issue while retaining the current architecture. Recommendation: Developers are strongly advised to migrate to a secure alternative (such as jsonpath-plus or similar libraries that do not use eval/static-eval) or strictly validate all JSON Path inputs against a known allowlist. Workarounds Strict Input Validation: Ensure that no user-supplied data is ever passed directly to jsonpath functions. Sanitization: If user input is unavoidable, implement a strict parser to reject any JSON Path expressions containing executable JavaScript syntax (e.g., parentheses (), script expressions script:, or function calls). Resources CVE-2026-1615 Vulnerable Code in handlers.js Snyk Advisory (Java/WebJars) Snyk Advisory (JS) References https://nvd.nist.gov/vuln/detail/CVE-2026-1615 https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15141219 https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034 https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js#L243 Severity High 8.2/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements Present Privileges Required None User interaction None Vulnerable System Impact Metrics Confidentiality High Integrity High Availability High Subsequent System Impact Metrics Confidentiality None Integrity None Availability None CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P EPSS score 0.094%(26th percentile) Weaknesses Weakness CWE-94 CVE ID CVE-2026-1615 GHSA ID GHSA-87r5-mp6g-5w5j Source code dchester/jsonpath Credits @saivarun3407 saivarun3407 Analyst @Alina-Podoba Alina-Podoba Analyst This advisory has been edited. See History. See something to contribute? Suggest improvements for this vulnerability. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================