CVE-2026-1615: Critical Node.js jsonpath Flaw Enables Remote Code Execution Without Authentication

jsonpath (Node.js) — Arbitrary Code Injection / Remote Code Execution

Vulnerability Overview

CVE ID: CVE-2026-1615
Affected Component: jsonpath (Node.js package)
Vulnerability Type: Arbitrary Code Injection
Impact: Remote Code Execution (RCE) in Node.js / Cross-Site Scripting (XSS) in browser usage
CVSS v3 Score: 9.8 (Critical)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Exploit Maturity: Public technical discussions available; exploit development feasible
Severity: Critical

A critical vulnerability was identified in the jsonpath npm package where user-supplied JSONPath expressions are evaluated in an unsafe manner. Improper handling of expression parsing allows specially crafted input to break out of the intended query logic and execute arbitrary JavaScript code.

When used in a Node.js server environment, this condition can result in full remote code execution. In browser-based implementations, client-side script execution may occur, leading to XSS and session compromise.

The issue stems from unsafe evaluation logic within JSONPath expression processing. Certain filtering or dynamic evaluation mechanisms fail to restrict executable constructs inside path expressions. As a result, an attacker may inject JavaScript payloads that are interpreted during path resolution.

Technical Root Cause

The library evaluates JSONPath filter expressions using an unsafe evaluator mechanism. Instead of treating the JSONPath strictly as data, parts of the expression are interpreted as executable JavaScript.

Improper neutralization of special characters and object prototype access enables attackers to reference dangerous global objects or constructors. In Node.js environments, access to process-level objects may be achieved, potentially leading to system command execution depending on runtime restrictions.

The vulnerability aligns with:

CWE-94 — Improper Control of Code Generation (Code Injection)

Affected Versions

All versions prior to the patched release are considered vulnerable.

Official Patch / Upgrade

Upgrade immediately to the patched version:

Official Package Link:
https://www.npmjs.com/package/jsonpath

Ensure version 1.2.1 or later is installed.

Verification command:

npm ls jsonpath

Upgrade command:

npm install jsonpath@latest

If dependency pinning prevents direct upgrade, dependency overrides or resolution updates must be applied.

Attack Scenarios

Exploitation becomes possible when:

An API endpoint accepts a JSONPath expression as input.
User-controlled data is directly passed into:
- jsonpath.query()
- jsonpath.nodes()
- jsonpath.value()
- jsonpath.paths()
- jsonpath.apply()
- jsonpath.parent()
No strict input validation or whitelisting exists.
The application runs in a privileged Node.js environment.

Example vulnerable pattern:

const result = jsonpath.query(data, userInputPath);

If userInputPath originates from HTTP parameters, request body, headers, or message queues without validation, exploitation risk is high.

Exploitation Details (Educational)

Public security research has demonstrated that JSONPath filter expressions may allow:

Access to JavaScript constructors
Invocation of dynamic function builders
Execution of arbitrary JavaScript logic
Access to process, environment variables, and system modules

In Node.js environments, attackers may:

Read sensitive files
Access environment variables (API keys, tokens)
Establish reverse shells (if outbound traffic allowed)
Pivot laterally within containerized environments

In browser usage, exploitation may allow:

DOM manipulation
Cookie theft
Credential exfiltration
Session hijacking

No authentication is required if the vulnerable endpoint is publicly accessible.

Proof of Concept Status

Public technical write-ups describing exploitation techniques are available in security communities. Demonstrations show arbitrary JavaScript execution during JSONPath evaluation.

For safety reasons, fully weaponized payloads are not included here. However, detection guidance below references observable behavioral indicators that are consistent with known exploit attempts.

Indicators of Exploitation

Application-Level Indicators

Unexpected JSONPath expressions containing:
- constructor
- Function
- process
- Backticks ( )
- Parenthesis-heavy filter blocks
Stack traces referencing:
- static-eval
- handlers.js
- jsonpath internals
Unexpected runtime errors during JSONPath resolution
Sudden increase in 500 responses on filtering endpoints

Host-Level Indicators

Unexpected child processes spawned by node
Unusual outbound network connections
Access attempts to:
- /etc/passwd
- Application secret files
- .env files
Execution of shell commands not present in application logic

Log Sources for Detection

Detection should focus on the following sources:

Application logs (request parameters, stack traces)
API gateway logs (query string and body logging)
Reverse proxy logs
Container runtime logs
OS audit logs (process creation)
EDR telemetry
Network egress logs

Detection Rules and Queries

HTTP Log Query

SELECT *
FROM http_logs
WHERE request_uri LIKE '%$..[?(%'
AND (
    request_uri LIKE '%constructor%'
    OR request_uri LIKE '%Function%'
    OR request_uri LIKE '%process%'
    OR request_uri LIKE '%`%'
);

ElasticSearch Query

{
  "query": {
    "bool": {
      "must": [
        { "match": { "request": "$..[?(" } }
      ],
      "should": [
        { "match": { "request": "constructor" } },
        { "match": { "request": "Function" } },
        { "match": { "request": "process" } },
        { "match": { "request": "`" } }
      ]
    }
  }
}

Splunk Query

index=web_logs
("constructor" OR "Function" OR "process" OR "`")
"$..[?("
| stats count by src_ip, uri

Process Creation Monitoring

Alert if:

Parent process = node
Child process = sh, bash, curl, nc, wget, python
Unexpected outbound TCP connections initiated by node

Example audit filter concept:

parent_process=node AND child_process IN (bash, sh, curl, nc, wget)

MITRE ATT&CK Mapping

T1190 — Exploit Public-Facing Application
T1059 — Command and Scripting Interpreter
T1106 — Native API
T1055 — Process Injection (post-compromise scenarios)

Risk Assessment

If the vulnerable package is exposed through an internet-facing API, the likelihood of exploitation is high.

Impact severity depends on:

Node.js runtime privileges
Container isolation
Network segmentation
Outbound filtering controls
Secrets management practices

Applications running as root or with broad file system access face severe compromise risk.

Mitigation Beyond Patching

If upgrade cannot be applied immediately:

Disable user-controlled JSONPath input.
Implement strict whitelist-based filtering of allowed paths.
Remove support for dynamic JSONPath filtering in public endpoints.
Apply container isolation with non-root user.
Restrict outbound traffic at firewall level.
Monitor aggressively for exploitation attempts.

Sanitization alone is not considered sufficient.

Incident Response Guidance

If exploitation is suspected:

Immediately isolate the affected host.
Revoke all environment credentials.
Rotate API keys and database credentials.
Review access logs for lateral movement.
Rebuild container images from clean sources.
Verify dependency integrity using checksum validation.
Perform full dependency tree audit.

Business Impact

A successful exploit may lead to:

Full server compromise
Data breach
Ransomware deployment
Credential harvesting
Regulatory reporting obligations
Reputational damage

Final Takeaway

CVE-2026-1615 represents a high-severity remote code execution vulnerability in the widely used jsonpath npm package. The flaw allows arbitrary JavaScript execution when untrusted JSONPath expressions are evaluated without strict validation. Exploitation requires no authentication and can occur over the network.

Immediate upgrade to version 1.2.1 or later is mandatory. Systems that process user-supplied JSONPath expressions must be considered high risk until patched.