jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions
Arbitrary Code Injection (Remote Code Execution & XSS): A critical security vulnerability affects all versions of the jsonpath package. The library relies on the static-eval module to evaluate JSON Path expressions but fails to properly sanitize or sandbox the input. This allows an attacker to inject arbitrary JavaScript code into the JSON Path expression. When the library evaluates this expression, the malicious code is executed. Node.js Environments: This leads to …