A critical remote code execution vulnerability in jmespath.php allows attackers to execute arbitrary PHP code through malicious JMESPath expressions.

The vulnerability exists in JmesPath\CompilerRuntime, where the compiler fails to properly escape parsed function names before injecting them into generated PHP source code. An attacker can provide a crafted JMESPath expression that results in the generation and execution of arbitrary PHP code within the application environment.

This vulnerability is assigned a 9.8 CVSS score, indicating a critical risk of full system compromise. If an application accepts untrusted JMESPath input, an attacker can achieve remote code execution, leading to complete server takeover, data theft, or the installation of persistent backdoors.

Immediate Action: Update jmespath.php to version 2.9.1 or later.

Proactive Monitoring: Monitor application servers for unexpected file creation in cache directories or unauthorized processes initiated by the web server user.

Compensating Controls: As a temporary workaround, disable JP_PHP_COMPILE and switch to AstRuntime for all processing of untrusted or user-supplied JMESPath expressions.

Public Exploit Available: false

Remote code execution vulnerabilities are of the highest priority. Developers must upgrade to 2.9.1 immediately. If an immediate upgrade is not feasible, the provided workaround using AstRuntime is essential to prevent exploitation of public-facing applications.