Cyber Resilience

CVE-2025-61140

CriticalRCEUpdated

Published: 28 January 2026

Published
28 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0033 25.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-61140 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Dchester Jsonpath. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-61140 affects the jsonpath library version 1.1.1, specifically the value function in lib/index.js, where it is vulnerable to prototype pollution (CWE-1321). This flaw enables manipulation of the Object prototype chain through crafted JSONPath expressions. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-28T16:16:13.547.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Exploitation allows pollution of the JavaScript prototype, potentially granting high-impact control over confidentiality, integrity, and availability in affected applications that process untrusted input via the jsonpath library.

Advisories and additional details, including a proof-of-concept, are provided in the GitHub Gist at https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d, with the library repository available at https://github.com/dchester/jsonpath. Practitioners should consult these references for mitigation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Prototype pollution via crafted JSONPath input enables unauthenticated remote exploitation of the library in network-facing applications, directly matching T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29063Shared CWE-1321
CVE-2026-24888Shared CWE-1321
CVE-2026-28794Shared CWE-1321
CVE-2026-45302Shared CWE-1321
CVE-2026-8657Shared CWE-1321
CVE-2024-57077Shared CWE-1321
CVE-2026-34221Shared CWE-1321
CVE-2026-35209Shared CWE-1321
CVE-2026-33994Shared CWE-1321
CVE-2024-38988Shared CWE-1321

Affected Assets

dchester
jsonpath
1.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses the prototype pollution vulnerability by patching or replacing the affected jsonpath 1.1.1 library.

prevent

Information input validation prevents crafted JSONPath expressions from exploiting the value function to pollute the Object prototype.

detect

Vulnerability scanning identifies the presence of the vulnerable jsonpath 1.1.1 library in applications processing untrusted input.

References