Security: CVE-2026-1615 – Arbitrary Code Execution via unsanitized JSONPath expressions (static-eval)

[Fnu-DevX]

The jsonpath package uses static-eval to evaluate filter expressions without proper sanitization. This allows malicious input in JSONPath expressions to execute arbitrary JavaScript in both Node.js (RCE) and browser (XSS) environments.

Version 1.2.1 is still vulnerable — the issue persists.

I tested with jsonpath v1.2.1, and the unsafe expression evaluation still appears to be exploitable.

Is there a planned fix or patched release for this vulnerability?

[yasin2dev]

There is a PR open for the vulnerability but not merged yet: #197

Still waiting for the merge. 👀

[Fnu-DevX]

@yasin2dev Thank you for the update.

I appreciate the clarification and the reference to PR #197. I’ll wait for the merge and the patched release.

Please let me know once the fix is merged and a new version is published. I’ll update to the next version as soon as it becomes available.

Thanks again for your efforts on this.

[yasin2dev]

Can be closed issue. #197 merged and 1.3.0 released. @Fnu-DevX you can check it out