build(deps): update dependency jsonpath to v1.3.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
jsonpath	1.1.1 → 1.3.0

---

JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js

CVE-2025-61140 / GHSA-6c59-mwgh-r2x6

More information

Details

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.

Severity

• CVSS Score: 6.6 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-61140
• https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d
• https://github.com/dchester/jsonpath
• https://github.com/dchester/jsonpath/issues/181
• https://github.com/dchester/jsonpath/issues/194
• https://github.com/dchester/jsonpath/pull/195
• https://github.com/dchester/jsonpath/commit/9631412641b7095f86840a7a45b5b3afc68b0fcb
• https://github.com/advisories/GHSA-6c59-mwgh-r2x6

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions

CVE-2026-1615 / GHSA-87r5-mp6g-5w5j

More information

Details

Impact

Arbitrary Code Injection (Remote Code Execution & XSS):

A critical security vulnerability affects all versions of the jsonpath package. The library relies on the static-eval module to evaluate JSON Path expressions but fails to properly sanitize or sandbox the input.

This allows an attacker to inject arbitrary JavaScript code into the JSON Path expression. When the library evaluates this expression, the malicious code is executed.

• Node.js Environments: This leads to Remote Code Execution (RCE), allowing an attacker to compromise the server.
• Browser Environments: This leads to Cross-Site Scripting (XSS), allowing an attacker to hijack user sessions or exfiltrate data.

Affected Methods:

The vulnerability triggers when untrusted data is passed to any method that evaluates a path, including:

• jsonpath.query
• jsonpath.nodes
• jsonpath.paths
• jsonpath.value
• jsonpath.parent
• jsonpath.apply

Patches

No Patch Available:

Currently, all versions of jsonpath are vulnerable. There is no known patched version of this package that resolves the issue while retaining the current architecture.

Recommendation:

Developers are strongly advised to migrate to a secure alternative (such as jsonpath-plus or similar libraries that do not use eval/static-eval) or strictly validate all JSON Path inputs against a known allowlist.

Workarounds

• Strict Input Validation: Ensure that no user-supplied data is ever passed directly to jsonpath functions.
• Sanitization: If user input is unavoidable, implement a strict parser to reject any JSON Path expressions containing executable JavaScript syntax (e.g., parentheses (), script expressions script:, or function calls).

Resources

• CVE-2026-1615
• Vulnerable Code in handlers.js
• Snyk Advisory (Java/WebJars)
• Snyk Advisory (JS)

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-1615
• https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15141219
• https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034
• https://github.com/dchester/jsonpath/blob/c1dd8ec74034fb0375233abb5fdbec51ac317b4b/lib/handlers.js#L243
• https://github.com/dchester/jsonpath/pull/197
• https://github.com/dchester/jsonpath/commit/491e2e01de2ff13f7d95e87eb2be726edbf4225f
• https://github.com/dchester/jsonpath/commit/b61111f07ac1a8d0f3133b5fc51438ecb76a6c39
• https://github.com/advisories/GHSA-87r5-mp6g-5w5j

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

dchester/jsonpath (jsonpath)

v1.3.0

Compare Source

v1.2.1

Compare Source

v1.2.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.31%. Comparing base (9ed97b0) to head (ea0539c).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #861   +/-   ##
=======================================
  Coverage   85.31%   85.31%           
=======================================
  Files          27       27           
  Lines         429      429           
=======================================
  Hits          366      366           
  Misses         63       63           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.