Update dependency jsonpath to v1.3.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
jsonpath	1.1.1 → 1.3.0

---

JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js

CVE-2025-61140 / GHSA-6c59-mwgh-r2x6

More information

Details

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.

Severity

• CVSS Score: 6.6 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-61140
• https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d
• https://github.com/dchester/jsonpath
• https://github.com/dchester/jsonpath/issues/181
• https://github.com/dchester/jsonpath/issues/194
• https://github.com/dchester/jsonpath/pull/195
• https://github.com/dchester/jsonpath/commit/9631412641b7095f86840a7a45b5b3afc68b0fcb
• https://github.com/advisories/GHSA-6c59-mwgh-r2x6

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions

CVE-2026-1615 / GHSA-87r5-mp6g-5w5j

More information

Details

Impact

Arbitrary Code Injection (Remote Code Execution & XSS):

A critical security vulnerability affects all versions of the jsonpath package. The library relies on the static-eval module to evaluate JSON Path expressions but fails to properly sanitize or sandbox the input.

This allows an attacker to inject arbitrary JavaScript code into the JSON Path expression. When the library evaluates this expression, the malicious code is executed.

• Node.js Environments: This leads to Remote Code Execution (RCE), allowing an attacker to compromise the server.
• Browser Environments: This leads to Cross-Site Scripting (XSS), allowing an attacker to hijack user sessions or exfiltrate data.

Affected Methods:

The vulnerability triggers when untrusted data is passed to any method that evaluates a path, including:

• jsonpath.query
• jsonpath.nodes
• jsonpath.paths
• jsonpath.value
• jsonpath.parent
• jsonpath.apply

Patches

No Patch Available:

Currently, all versions of jsonpath are vulnerable. There is no known patched version of this package that resolves the issue while retaining the current architecture.

Recommendation:

Developers are strongly advised to migrate to a secure alternative (such as jsonpath-plus or similar libraries that do not use eval/static-eval) or strictly validate all JSON Path inputs against a known allowlist.

Workarounds

• Strict Input Validation: Ensure that no user-supplied data is ever passed directly to jsonpath functions.
• Sanitization: If user input is unavoidable, implement a strict parser to reject any JSON Path expressions containing executable JavaScript syntax (e.g., parentheses (), script expressions script:, or function calls).

Resources

• CVE-2026-1615
• Vulnerable Code in handlers.js
• Snyk Advisory (Java/WebJars)
• Snyk Advisory (JS)

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-1615
• https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15141219
• https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034
• https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js#L243
• https://github.com/dchester/jsonpath/pull/197
• https://github.com/dchester/jsonpath/commit/491e2e01de2ff13f7d95e87eb2be726edbf4225f
• https://github.com/dchester/jsonpath/commit/b61111f07ac1a8d0f3133b5fc51438ecb76a6c39
• https://github.com/advisories/GHSA-87r5-mp6g-5w5j

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

dchester/jsonpath (jsonpath)

v1.3.0

Compare Source

v1.2.1

Compare Source

v1.2.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: .build/package-lock.json

npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: @webpack-cli/configtest@1.1.0
npm WARN Found: webpack@5.64.4
npm WARN node_modules/@webpack-cli/configtest/node_modules/webpack
npm WARN 
npm WARN Could not resolve dependency:
npm WARN peer webpack@"4.x.x || 5.x.x" from @webpack-cli/configtest@1.1.0
npm WARN node_modules/@webpack-cli/configtest
npm WARN   @webpack-cli/configtest@"^1.1.0" from webpack-cli@4.9.1
npm WARN   node_modules/webpack-cli
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: ajv-keywords@3.5.2
npm WARN Found: ajv@6.12.6
npm WARN node_modules/ajv-keywords/node_modules/ajv
npm WARN 
npm WARN Could not resolve dependency:
npm WARN peer ajv@"^6.9.1" from ajv-keywords@3.5.2
npm WARN node_modules/ajv-keywords
npm WARN   ajv-keywords@"^3.5.2" from schema-utils@2.7.1
npm WARN   node_modules/@redhat-cloud-services/frontend-components-config/node_modules/babel-loader/node_modules/schema-utils
npm WARN   6 more (schema-utils, schema-utils, schema-utils, schema-utils, ...)
npm WARN 
npm WARN Conflicting peer dependency: ajv@6.15.0
npm WARN node_modules/ajv
npm WARN   peer ajv@"^6.9.1" from ajv-keywords@3.5.2
npm WARN   node_modules/ajv-keywords
npm WARN     ajv-keywords@"^3.5.2" from schema-utils@2.7.1
npm WARN     node_modules/@redhat-cloud-services/frontend-components-config/node_modules/babel-loader/node_modules/schema-utils
npm WARN     6 more (schema-utils, schema-utils, schema-utils, schema-utils, ...)
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: optimize-css-assets-webpack-plugin@6.0.1
npm ERR! Found: webpack@5.51.1
npm ERR! node_modules/webpack
npm ERR!   dev webpack@"5.51.1" from the root project
npm ERR!   peer webpack@">=5.0.0" from assets-webpack-plugin@7.1.1
npm ERR!   node_modules/assets-webpack-plugin
npm ERR!     dev assets-webpack-plugin@"7.1.1" from the root project
npm ERR!   17 more (copy-webpack-plugin, css-loader, ...)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer webpack@"^4.0.0" from optimize-css-assets-webpack-plugin@6.0.1
npm ERR! node_modules/optimize-css-assets-webpack-plugin
npm ERR!   dev optimize-css-assets-webpack-plugin@"6.0.1" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: webpack@4.47.0
npm ERR! node_modules/webpack
npm ERR!   peer webpack@"^4.0.0" from optimize-css-assets-webpack-plugin@6.0.1
npm ERR!   node_modules/optimize-css-assets-webpack-plugin
npm ERR!     dev optimize-css-assets-webpack-plugin@"6.0.1" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /runner/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /runner/cache/others/npm/_logs/2026-06-01T22_38_08_409Z-debug-0.log