The jsonpath library is subject to a critical code injection vulnerability that allows unauthenticated attackers to execute arbitrary code in Node.js or perform XSS in browsers.

The library relies on the static-eval module to process JSON Path input, which fails to safely handle untrusted data. An attacker can supply a malicious JSON Path expression to any method (e.g., .query, .nodes) to execute arbitrary JavaScript code on the host system or within a user's browser context.

This vulnerability poses a severe risk to any application using the jsonpath library to process external input. In Node.js environments, it leads to Remote Code Execution (RCE), while in browsers, it enables Cross-Site Scripting (XSS). The CVSS score of 9.8 reflects the high likelihood of total system compromise and data theft.

Immediate Action: Developers should immediately update the jsonpath dependency to the latest patched version or migrate to a more secure alternative.

Proactive Monitoring: Audit codebases to identify where user-supplied input is passed directly to jsonpath evaluation methods.

Compensating Controls: Implement strict input validation or sanitization for all JSON Path expressions before they are processed by the library.

Public Exploit Available: false

The vulnerability in the jsonpath library is a critical supply-chain risk. Organizations must identify all internal and customer-facing applications utilizing this package and apply updates or mitigations immediately to prevent unauthenticated remote code execution.