Nick Copi

**Name of the Vulnerable Software and Affected Versions** jsonpath (affected versions not specified) **Description** The package jsonpath is susceptible to Arbitrary Code Injection due to unsafe evaluation of user-supplied JSON Path expressions. The library utilizes the `static-eval` module to process JSON Path input, which is not designed for untrusted data. An attacker can supply a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, potentially leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This impacts all methods that evaluate JSON Paths against objects, including `.query`, `.nodes`, `.paths`, `.value`, `.parent`, and `.apply`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** jsonpath-plus versions prior to 10.3.0 **Description** The issue is caused by improper input sanitization, allowing an attacker to execute arbitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. This is a result of an incomplete fix for a previous issue. The vulnerability can lead to Remote Code Execution (RCE). **Recommendations** For versions prior to 10.3.0, update to version 10.3.0 or later to resolve the issue. As a temporary workaround, consider disabling the use of eval='safe' mode until a patch is available. Restrict access to sensitive areas of the system to minimize the risk of exploitation. Avoid using unsanitized input in the jsonpath-plus package until the issue is resolved.