Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

GHSA-6c59-mwgh-r2x6 | Mondoo Vulnerability Intelligence

Vulnerability IntelligenceGHSA-6c59-mwgh-r2x6

GHSA-6c59-mwgh-r2x6

MEDIUM6.6

JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js

Published Jan 28, 2026

Modified 3 months ago

Fix available

Details

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.

Affected Packages

jsonpath

npm

Fixed in:

1.2.0

References

WEB

https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d

ADVISORY

https://github.com/advisories/GHSA-6c59-mwgh-r2x6

PACKAGE

https://github.com/dchester/jsonpath

WEB

https://github.com/dchester/jsonpath/commit/9631412641b7095f86840a7a45b5b3afc68b0fcb

WEB

https://github.com/dchester/jsonpath/issues/181

WEB

https://github.com/dchester/jsonpath/issues/194

WEB

https://github.com/dchester/jsonpath/pull/195

ADVISORY

https://nvd.nist.gov/vuln/detail/CVE-2025-61140

Aliases

CVE-2025-61140

CVSS Analysis

CVSS v4.0

6.6

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Attack Requirements

NoneAT:N

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Vulnerable System

Vuln. Confidentiality

NoneVC:N

Vuln. Integrity

HighVI:H

Vuln. Availability

NoneVA:N

Subsequent System

Subseq. Confidentiality

NoneSC:N

Subseq. Integrity

NoneSI:N

Subseq. Availability

NoneSA:N

6.6/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

CVE-2025-61140

Ecosystems

npm

Timeline

PublishedJan 28, 2026

ModifiedFeb 5, 2026