CVE-2026-1615: jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions

February 9, 2026 (updated February 17, 2026)

Arbitrary Code Injection (Remote Code Execution & XSS):

A critical security vulnerability affects all versions of the jsonpath package. The library relies on the static-eval module to evaluate JSON Path expressions but fails to properly sanitize or sandbox the input.

This allows an attacker to inject arbitrary JavaScript code into the JSON Path expression. When the library evaluates this expression, the malicious code is executed.

Node.js Environments: This leads to Remote Code Execution (RCE), allowing an attacker to compromise the server.
Browser Environments: This leads to Cross-Site Scripting (XSS), allowing an attacker to hijack user sessions or exfiltrate data.

Affected Methods:

The vulnerability triggers when untrusted data is passed to any method that evaluates a path, including:

jsonpath.query
jsonpath.nodes
jsonpath.paths
jsonpath.value
jsonpath.parent
jsonpath.apply

References

Code Behaviors & Features

Detect and mitigate CVE-2026-1615 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →