{"id":1911050,"name":"jsonpath","ecosystem":"npm","description":"Query JavaScript objects with JSONPath expressions. Robust / safe JSONPath engine for Node.js.","homepage":"https://github.com/dchester/jsonpath#readme","licenses":"MIT","normalized_licenses":["MIT"],"repository_url":"https://github.com/dchester/jsonpath","keywords_array":["JSONPath","jsonpath","json-path","object","traversal","json","path","data structures"],"namespace":null,"versions_count":28,"first_release_published_at":"2015-01-29T06:31:43.337Z","latest_release_published_at":"2026-03-05T14:11:58.850Z","latest_release_number":"1.3.0","last_synced_at":"2026-06-27T09:02:13.407Z","created_at":"2022-04-09T18:14:04.343Z","updated_at":"2026-06-27T09:02:13.408Z","registry_url":"https://www.npmjs.com/package/jsonpath","install_command":"npm install jsonpath","documentation_url":null,"metadata":{"funding":null,"dist-tags":{"latest":"1.3.0"}},"repo_metadata":{"id":26321375,"uuid":"29769677","full_name":"dchester/jsonpath","owner":"dchester","description":"Query and manipulate JavaScript objects with JSONPath expressions.  Robust JSONPath engine for Node.js.","archived":false,"fork":false,"pushed_at":"2024-02-29T09:24:09.000Z","size":314,"stargazers_count":1286,"open_issues_count":99,"forks_count":214,"subscribers_count":25,"default_branch":"master","last_synced_at":"2024-05-15T14:54:26.797Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dchester.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-01-24T07:50:24.000Z","updated_at":"2024-06-18T11:06:47.292Z","dependencies_parsed_at":"2024-06-18T11:18:01.700Z","dependency_job_id":null,"html_url":"https://github.com/dchester/jsonpath","commit_stats":{"total_commits":91,"total_committers":13,"mean_commits":7.0,"dds":0.2417582417582418,"last_synced_commit":"c1dd8ec74034fb0375233abb5fdbec51ac317b4b"},"previous_names":[],"tags_count":24,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dchester","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":214764538,"owners_count":15781517,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"dchester","name":"David Chester","uuid":"199934","kind":"user","description":null,"email":"","website":null,"location":"New York, NY","twitter":null,"company":null,"icon_url":"https://avatars.githubusercontent.com/u/199934?v=4","repositories_count":37,"last_synced_at":"2024-04-15T00:17:33.597Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/dchester","funding_links":[],"total_stars":2315,"followers":94,"following":4,"created_at":"2022-11-02T16:35:07.782Z","updated_at":"2024-04-15T00:17:34.483Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dchester","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dchester/repositories"},"tags":[{"name":"1.1.0","sha":"eafa80c5b20038ea348fdfbe8ac4d0467be6e4fd","kind":"commit","published_at":"2021-01-14T20:37:13.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/1.1.0","html_url":"https://github.com/dchester/jsonpath/releases/tag/1.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/1.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/1.1.0/manifests"},{"name":"1.0.2","sha":"778bc1ea297309e5925910698bb8ead9369d2e55","kind":"commit","published_at":"2019-06-03T04:08:19.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/1.0.2","html_url":"https://github.com/dchester/jsonpath/releases/tag/1.0.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/1.0.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/1.0.2/manifests"},{"name":"1.0.0","sha":"9713c6f94198df510d9ebb6b2a73fce3762e6601","kind":"commit","published_at":"2017-10-21T18:15:06.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/1.0.0","html_url":"https://github.com/dchester/jsonpath/releases/tag/1.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/1.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/1.0.0/manifests"},{"name":"0.2.11","sha":"4e4087c78e5d0e32a769f1270af16198bc77f2d3","kind":"commit","published_at":"2017-02-15T18:41:53.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.2.11","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.2.11","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.11","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.11/manifests"},{"name":"0.2.10","sha":"c2d7030248b505e45914780ca2779bbe66765698","kind":"commit","published_at":"2017-02-10T21:58:32.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.2.10","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.2.10","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.10","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.10/manifests"},{"name":"0.2.9","sha":"ed27ad3e79efe507bbbea10f9272a29c6673412b","kind":"commit","published_at":"2016-11-23T02:19:07.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.2.9","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.2.9","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.9","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.9/manifests"},{"name":"0.2.8","sha":"d10c6c48a9eb4fb9b0b75d785286d104e876ea75","kind":"commit","published_at":"2016-11-16T21:40:56.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.2.8","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.2.8","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.8","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.8/manifests"},{"name":"0.2.7","sha":"5b16cbfb471b2038911803419c0a7df1ba79f651","kind":"commit","published_at":"2016-08-29T16:26:40.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.2.7","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.2.7","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.7","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.7/manifests"},{"name":"0.2.6","sha":"9f27a03825db27c11006317ee013921e16cbc57c","kind":"commit","published_at":"2016-07-01T21:40:15.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.2.6","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.2.6","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.6","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.6/manifests"},{"name":"0.2.5","sha":"51eae99646a55f20602a2d8c23dd48df9e98e79b","kind":"commit","published_at":"2016-06-17T16:26:45.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.2.5","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.2.5","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.5","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.5/manifests"},{"name":"0.2.4","sha":"a06ff8a49290f77489cede70d626945d5526201a","kind":"commit","published_at":"2016-06-04T21:08:10.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.2.4","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.2.4","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.4/manifests"},{"name":"0.2.3","sha":"381953d3a5aa351d1f6dc9a2811f69e49bcb509d","kind":"commit","published_at":"2016-05-14T19:16:21.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.2.3","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.2.3","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.3/manifests"},{"name":"0.2.2","sha":"f615b9d468d5b24d60f4c0dd1388249c129cfd6a","kind":"commit","published_at":"2015-11-27T19:42:49.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.2.2","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.2.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.2/manifests"},{"name":"0.2.1","sha":"d5722d28fe5237f8a347a604823dd801ef4046e4","kind":"commit","published_at":"2015-11-20T14:16:37.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.2.1","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.2.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.1/manifests"},{"name":"0.2.0","sha":"fa92d06016d75f3ecedc85229ecb41880db09933","kind":"commit","published_at":"2015-09-06T16:49:06.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.2.0","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.2.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.2.0/manifests"},{"name":"0.1.8","sha":"f72e5ad80bf0b57fab7773c43f28d721645c2a3e","kind":"commit","published_at":"2015-06-22T02:16:30.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.1.8","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.1.8","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.1.8","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.1.8/manifests"},{"name":"0.1.7","sha":"9fc29891dd90143f3618f691f0321f6c8a7478e7","kind":"commit","published_at":"2015-06-08T11:41:27.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.1.7","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.1.7","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.1.7","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.1.7/manifests"},{"name":"0.1.6","sha":"b56b291d8394b9b7f605ebe146b9d2f56c4fda4d","kind":"commit","published_at":"2015-06-08T05:36:11.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.1.6","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.1.6","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.1.6","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.1.6/manifests"},{"name":"0.1.5","sha":"855ddc0a1a8138e8361492eb620fca6fe21d6300","kind":"commit","published_at":"2015-06-07T19:07:18.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.1.5","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.1.5","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.1.5","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.1.5/manifests"},{"name":"0.1.4","sha":"db582298a2f7a3741a55eb291af37b4950243692","kind":"commit","published_at":"2015-05-27T03:35:57.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.1.4","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.1.4","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.1.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.1.4/manifests"},{"name":"0.1.3","sha":"30a839213dffe3bcc8eefddd74e18de2a2e21a67","kind":"commit","published_at":"2015-01-30T22:02:02.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.1.3","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.1.3","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.1.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.1.3/manifests"},{"name":"0.1.2","sha":"9d294e7efa3c5b546b2ce1fac7449b87967a6211","kind":"commit","published_at":"2015-01-29T06:06:11.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.1.2","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.1.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.1.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.1.2/manifests"},{"name":"0.1.1","sha":"167826a81fc1f859a9a316a865eb7d2fa532884e","kind":"commit","published_at":"2015-01-29T05:52:00.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.1.1","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.1.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.1.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.1.1/manifests"},{"name":"0.1.0","sha":"367ad1326f65a66d136ab02df2eafaac2ba60c3a","kind":"commit","published_at":"2015-01-24T19:13:06.000Z","download_url":"https://codeload.github.com/dchester/jsonpath/tar.gz/0.1.0","html_url":"https://github.com/dchester/jsonpath/releases/tag/0.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/tags/0.1.0/manifests"}]},"repo_metadata_updated_at":"2024-09-08T05:50:40.315Z","dependent_packages_count":1059,"downloads":14869421,"downloads_period":"last-month","dependent_repos_count":18744,"rankings":{"downloads":0.1583129992019668,"dependent_repos_count":0.20860939808472492,"dependent_packages_count":0.0700375507032207,"stargazers_count":2.3203776995375343,"forks_count":2.3682102862872694,"docker_downloads_count":0.0817294092484459,"average":0.8678795571771937},"purl":"pkg:npm/jsonpath","advisories":[{"uuid":"GSA_kwCzR0hTQS04N3I1LW1wNmctNXc1as4ABSGd","url":"https://github.com/advisories/GHSA-87r5-mp6g-5w5j","title":"jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions","description":"### Impact\n\n**Arbitrary Code Injection (Remote Code Execution \u0026 XSS):**\n\nA critical security vulnerability affects **all versions** of the `jsonpath` package. The library relies on the `static-eval` module to evaluate JSON Path expressions but fails to properly sanitize or sandbox the input.\n\nThis allows an attacker to inject arbitrary JavaScript code into the JSON Path expression. When the library evaluates this expression, the malicious code is executed.\n\n* **Node.js Environments:** This leads to **Remote Code Execution (RCE)**, allowing an attacker to compromise the server.\n* **Browser Environments:** This leads to **Cross-Site Scripting (XSS)**, allowing an attacker to hijack user sessions or exfiltrate data.\n\n**Affected Methods:**\n\nThe vulnerability triggers when untrusted data is passed to any method that evaluates a path, including:\n\n* `jsonpath.query`\n* `jsonpath.nodes`\n* `jsonpath.paths`\n* `jsonpath.value`\n* `jsonpath.parent`\n* `jsonpath.apply`\n\n### Patches\n\n**No Patch Available:**\n\nCurrently, **all versions** of `jsonpath` are vulnerable. There is no known patched version of this package that resolves the issue while retaining the current architecture.\n\n**Recommendation:**\n\nDevelopers are strongly advised to **migrate to a secure alternative** (such as `jsonpath-plus` or similar libraries that do not use `eval`/`static-eval`) or strictly validate all JSON Path inputs against a known allowlist.\n\n### Workarounds\n\n* **Strict Input Validation:** Ensure that no user-supplied data is ever passed directly to `jsonpath` functions.\n* **Sanitization:** If user input is unavoidable, implement a strict parser to reject any JSON Path expressions containing executable JavaScript syntax (e.g., parentheses `()`, script expressions `script:`, or function calls).\n\n### Resources\n\n* [CVE-2026-1615](https://nvd.nist.gov/vuln/detail/CVE-2026-1615)\n* [Vulnerable Code in handlers.js](https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js#L243)\n* [Snyk Advisory (Java/WebJars)](https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15141219)\n* [Snyk Advisory (JS)](https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034)","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-02-09T06:30:28.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.2,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P","references":["https://nvd.nist.gov/vuln/detail/CVE-2026-1615","https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15141219","https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034","https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js#L243","https://github.com/dchester/jsonpath/pull/197","https://github.com/dchester/jsonpath/commit/491e2e01de2ff13f7d95e87eb2be726edbf4225f","https://github.com/dchester/jsonpath/commit/b61111f07ac1a8d0f3133b5fc51438ecb76a6c39","https://github.com/advisories/GHSA-87r5-mp6g-5w5j"],"source_kind":"github","identifiers":["GHSA-87r5-mp6g-5w5j","CVE-2026-1615"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-02-12T16:00:08.125Z","updated_at":"2026-06-22T17:02:08.880Z","epss_percentage":0.00834,"epss_percentile":0.52863,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04N3I1LW1wNmctNXc1as4ABSGd","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS04N3I1LW1wNmctNXc1as4ABSGd","packages":[{"ecosystem":"npm","package_name":"jsonpath","versions":[{"first_patched_version":"1.3.0","vulnerable_version_range":"\u003c= 1.2.1"}],"purl":"pkg:npm/jsonpath"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04N3I1LW1wNmctNXc1as4ABSGd/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS02YzU5LW13Z2gtcjJ4Ns4ABRrW","url":"https://github.com/advisories/GHSA-6c59-mwgh-r2x6","title":"JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js","description":"The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-01-28T18:30:47.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.6,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U","references":["https://nvd.nist.gov/vuln/detail/CVE-2025-61140","https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d","https://github.com/dchester/jsonpath","https://github.com/dchester/jsonpath/issues/181","https://github.com/dchester/jsonpath/issues/194","https://github.com/dchester/jsonpath/pull/195","https://github.com/dchester/jsonpath/commit/9631412641b7095f86840a7a45b5b3afc68b0fcb","https://github.com/advisories/GHSA-6c59-mwgh-r2x6"],"source_kind":"github","identifiers":["GHSA-6c59-mwgh-r2x6","CVE-2025-61140"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-02-02T15:00:08.783Z","updated_at":"2026-06-22T17:02:53.213Z","epss_percentage":0.00332,"epss_percentile":0.24868,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02YzU5LW13Z2gtcjJ4Ns4ABRrW","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS02YzU5LW13Z2gtcjJ4Ns4ABRrW","packages":[{"ecosystem":"npm","package_name":"jsonpath","versions":[{"first_patched_version":"1.2.0","vulnerable_version_range":"\u003c 1.2.0"}],"purl":"pkg:npm/jsonpath"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02YzU5LW13Z2gtcjJ4Ns4ABRrW/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/npm/jsonpath","docker_dependents_count":503,"docker_downloads_count":610589358,"usage_url":"https://repos.ecosyste.ms/usage/npm/jsonpath","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/npm/jsonpath/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":{"last_synced_at":"2024-09-06T13:08:13.766Z","issues_count":83,"pull_requests_count":25,"avg_time_to_close_issue":12977290.222222222,"avg_time_to_close_pull_request":51159365.92307692,"issues_closed_count":9,"pull_requests_closed_count":13,"pull_request_authors_count":23,"issue_authors_count":80,"avg_comments_per_issue":1.963855421686747,"avg_comments_per_pull_request":3.08,"merged_pull_requests_count":1,"bot_issues_count":0,"bot_pull_requests_count":0,"past_year_issues_count":5,"past_year_pull_requests_count":2,"past_year_avg_time_to_close_issue":null,"past_year_avg_time_to_close_pull_request":null,"past_year_issues_closed_count":0,"past_year_pull_requests_closed_count":0,"past_year_pull_request_authors_count":2,"past_year_issue_authors_count":5,"past_year_avg_comments_per_issue":1.6,"past_year_avg_comments_per_pull_request":0.0,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":0,"past_year_merged_pull_requests_count":0,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchester%2Fjsonpath/issues","maintainers":[],"active_maintainers":[]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/jsonpath/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/jsonpath/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/jsonpath/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/jsonpath/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/jsonpath/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/jsonpath/codemeta","maintainers":[{"uuid":"dchester","login":"dchester","name":null,"email":"david@fmail.co.uk","url":null,"packages_count":11,"html_url":"https://www.npmjs.com/~dchester","role":null,"created_at":"2022-11-12T23:13:11.715Z","updated_at":"2022-11-12T23:13:11.715Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/dchester/packages"}]}