JSONPath Plus Remote Code Execution (RCE) Vulnerability | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		JSONPath Plus Remote Code Execution (RCE) Vulnerability (github.com/jsonpath-plus)
		2 points by niel on Oct 21, 2024 \| hide \| past \| favorite \| 1 comment

niel on Oct 21, 2024 | [–]

JSONPath-Plus is a widely used [0] JavaScript package to query JSON objects with the JSONPath query language.

Recent versions allow trivial RCE. [1]

[0] 800+ direct dependants https://www.npmjs.com/package/jsonpath-plus?activeTab=depend... [1] https://github.com/JSONPath-Plus/JSONPath/issues/226

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact