fix(deps): update dependency jsonpath-plus to v10 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
jsonpath-plus	^7.2.0 → ^10.3.0

---

JSONPath Plus Remote Code Execution (RCE) Vulnerability

CVE-2024-21534 / GHSA-pppg-cpfq-h7wr

More information

Details

Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.

Note:

There were several attempts to fix it in versions 10.0.0-10.1.0 but it could still be exploited using different payloads

Severity

• CVSS Score: 9.3 / 10 (Critical)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-21534
• https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3
• https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884
• https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019
• https://github.com/JSONPath-Plus/JSONPath/issues/226
• https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd72
• https://github.com/JSONPath-Plus/JSONPath/issues/226#issuecomment-2424230316
• https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0
• https://github.com/JSONPath-Plus/JSONPath/pull/233
• https://github.com/JSONPath-Plus/JSONPath/commit/73ad72e5ee788d8287dea6e8283a3f16f63c9eb8
• https://github.com/advisories/GHSA-pppg-cpfq-h7wr

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

JSONPath Plus allows Remote Code Execution

CVE-2025-1302 / GHSA-hw8r-x6gr-5gjp

More information

Details

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.

Note:

This is caused by an incomplete fix for CVE-2024-21534.

Severity

• CVSS Score: 8.9 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-1302
• https://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24ee
• https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456
• https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585
• https://nvd.nist.gov/vuln/detail/CVE-2024-21534
• https://github.com/JSONPath-Plus/JSONPath/blob/8e4acf8aff5f446aa66323e12394ac5615c3b260/src/Safe-Script.js#L127
• https://github.com/advisories/GHSA-hw8r-x6gr-5gjp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

s3u/JSONPath (jsonpath-plus)

v10.3.0

Compare Source

• fix(eval): rce using non-string prop names (#​237)
• feat(demo): make demo link shareable (#​238)
• chore: update deps. and devDeps.

v10.2.0

Compare Source

• fix(eval): improve security of safe-eval (#​233)
• chore: update deps. and devDeps.

v10.1.0

Compare Source

• feat: add typeof operator to safe script

v10.0.7

Compare Source

• fix(security): prevent constructor access
• docs: add security policy file

v10.0.6

Compare Source

• fix(security): prevent call/apply invocation of Function

v10.0.5

Compare Source

• fix: remove overly aggressive disabling of native functions but
  disallow __proto__

v10.0.4

Compare Source

• fix(security): further prevent binding of Function calls which may evade detection

v10.0.3

Compare Source

• fix(security): prevent binding of Function calls which may evade detection

v10.0.2

Compare Source

• fix(security): prevent Function calls outside of member expressions

v10.0.1

• fix(security): prohibit Function in "safe" vm

v10.0.0

BREAKING CHANGES:

• Require Node 18+

• fix(security): use safe vm by default in Node

• chore: bump jsep, devDeps. and lint

v9.0.0

Compare Source

BREAKING CHANGES:

• Removes preventEval property. Prefer eval: false instead.

• Changed behavior of eval property. In the browser, eval/Function won't be used by default to evaluate expressions. Instead, we'll safely evaluate using a subset of JavaScript. To resume using unsafe eval in the browser, pass in the option eval: "native"

• feat: add safe eval for browser and eval option (#​185) (@​80avin)

• feat: add ignoreEvalErrors property (@​80avin)

v8.1.0

• feat: add basic cli (#​206) (@​vid)

v8.0.0

• Breaking change: Bump Node engines to 14
• feat: add support for nested filter expressions (@​carlosingles)
• docs: update README and license (@​akirataguchi115)
• docs: github workflow badge (@​dsanch3z)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.