漏洞关键信息 漏洞名称 Arbitrary Code Injection 影响的包 jsonparch 影响的版本 所有版本 引入时间 2020-06-20 漏洞编号 CVE-2020-1615 CWE-1321 CWE-94 严重性评分 CVSS Base Score: 9.2 CVSS Severity: CRITICAL 威胁情报 Exploit Maturity: Proof of Concept 漏洞概述 Affected versions of this package are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. CVSS Base Scores (Version 4.0) Attack Vector (AV): Network Attack Complexity (AC): Low Attack Requirements (AT): Present Privileges Required (PR): None User Interaction (UI): None Confidentiality (VC): High Integrity (VI): High Availability (VA): High Confidentiality (SC): None Integrity (SI): None Availability (SA): None 其他信息 Snyk ID: SNYK-JS-JSONPATH-13645034 Published Date: 2026-02-05 Disclosed Date: 2025-06-20 Credit: Nick Copi