{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-15T02:25:41.277","vulnerabilities":[{"cve":{"id":"CVE-2025-1302","sourceIdentifier":"report@snyk.io","published":"2025-02-15T05:15:11.683","lastModified":"2025-02-15T05:15:11.683","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.\r\r**Note:**\r\rThis is caused by an incomplete fix for [CVE-2024-21534](https:\/\/security.snyk.io\/vuln\/SNYK-JS-JSONPATHPLUS-7945884)."},{"lang":"es","value":"Las versiones del paquete jsonpath-plus anteriores a la 10.3.0 son vulnerables a la ejecución remota de código (RCE) debido a una depuración de entrada incorrecta. Un atacante puede ejecutar código arbitrario en el sistema aprovechando el uso predeterminado inseguro del modo eval='safe'. **Nota:** Esto se debe a una corrección incompleta de [CVE-2024-21534](https:\/\/security.snyk.io\/vuln\/SNYK-JS-JSONPATHPLUS-7945884)."}],"metrics":{"cvssMetricV40":[{"source":"report@snyk.io","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/VI:H\/VA:H\/SC:N\/SI:N\/SA:N\/E:P\/CR:X\/IR:X\/AR:X\/MAV:X\/MAC:X\/MAT:X\/MPR:X\/MUI:X\/MVC:X\/MVI:X\/MVA:X\/MSC:X\/MSI:X\/MSA:X\/S:X\/AU:X\/R:X\/V:X\/RE:X\/U:X","baseScore":8.9,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"report@snyk.io","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"report@snyk.io","type":"Secondary","description":[{"lang":"en","value":"CWE-94"}]}],"references":[{"url":"https:\/\/gist.github.com\/nickcopi\/11ba3cb4fdee6f89e02e6afae8db6456","source":"report@snyk.io"},{"url":"https:\/\/github.com\/JSONPath-Plus\/JSONPath\/blob\/8e4acf8aff5f446aa66323e12394ac5615c3b260\/src\/Safe-Script.js%23L127","source":"report@snyk.io"},{"url":"https:\/\/github.com\/JSONPath-Plus\/JSONPath\/commit\/30942896d27cb8a806b965a5ca9ef9f686be24ee","source":"report@snyk.io"},{"url":"https:\/\/security.snyk.io\/vuln\/SNYK-JS-JSONPATHPLUS-8719585","source":"report@snyk.io"}]}}]}