CVE-2025-61140: Jsonpath Prototype Pollution Cve 2025 61140
The dchester/jsonpath library uses JSONPath components as object keys in its write-capable / traversal methods (value, apply, parent, _vivify, nodes, _normalize) without rejecting prototype-chain keys such as `__proto__`, `prototype`, or `constructor`. In versions < 1.2.0 this allows prototype pollution (CVE-2025-61140, CWE-1321) when path strings are influe
greprules fetch cve-2025-61140-jsonpath-prototype-pollution-cve-2025-61140 --engine opengrepDescription
The dchester/jsonpath library uses JSONPath components as object keys in its write-capable / traversal methods (value, apply, parent, _vivify, nodes, _normalize) without rejecting prototype-chain keys such as `__proto__`, `prototype`, or `constructor`. In versions < 1.2.0 this allows prototype pollution (CVE-2025-61140, CWE-1321) when path strings are influe
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.