CVE-2024-21534

Name of the Vulnerable Software and Affected Versions jsonpath-plus versions prior to 10.0.7

Description The issue is related to Remote Code Execution (RCE) due to improper input sanitization, allowing an attacker to execute arbitrary code on the system by exploiting the unsafe default usage of vm in Node. There were attempts to fix it in versions 10.0.0-10.1.0, but it could still be exploited using different payloads.

Recommendations For jsonpath-plus versions prior to 10.0.7, update to version 10.0.7 or later to resolve the issue. As a temporary workaround, consider disabling the use of vm in Node until a patch is available. Restrict access to the vulnerable package to minimize the risk of exploitation. Avoid using the vulnerable package in production environments until the issue is resolved.