External risk intelligence

JSONPath Prototype Pollution Vulnerability in dchester jsonpath

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-61140

The vulnerability affects a JSON processing library. While the library is not a standalone service, it is frequently integrated into internet-facing web applications and APIs. Because exposure depends on how a specific application utilizes the library to process untrusted input, internet reachability is possible but not inherent to the component itself.

Deserialization

Dchester Jsonpath

1.1.1

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in the jsonpath library that could allow unauthorized modification of application data through prototype pollution. While the library itself is not a direct internet-facing service, its integration into web applications and APIs means there is a potential for exploitation if it processes untrusted input. The main concern is confirming relevance and exposure within your environment.

  • Code flaw allows unintended data changes.
  • Affects systems processing external data inputs.
  • Confirm use and potential exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending a specially crafted JSON input to an application that uses the affected library. This input can corrupt the application's memory, leading to a compromise of its integrity and availability. The vulnerability lies in how the library processes input, allowing an attacker to manipulate its internal structures.

  • No authentication or user interaction needed.
  • Triggered by processing malicious JSON input.
  • Leads to widespread system compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to modify the properties of JavaScript objects in unexpected ways when the `jsonpath` library processes specially crafted input. This may lead to unpredictable application behavior or the exposure of internal system data.

  • System data.
  • Unexpected object property modification.
  • Unpredictable application behavior.

Operational Fix

Recommended remediation, mitigation, and detection steps

To address this prototype pollution vulnerability in the `jsonpath` library, application owners and platform teams are likely responsible for its remediation. The first practical step is to inventory all systems and applications that use the affected `jsonpath` library, assess their exposure, and identify the specific accountable teams for each instance. Planning remediation should then be risk-based, considering business criticality and potential impact.

  • Identify affected applications and owners.
  • Verify library usage and reachability.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the dchester jsonpath library?

dchester jsonpath is a JavaScript library designed to help developers search, parse, and manipulate JSON data structures. It acts as a utility tool within web applications and APIs, allowing software to easily navigate and extract specific information from complex JSON files. Because it performs data processing tasks, it is often integrated deep within the backend logic of software systems that handle data inputs.

How does CVE-2025-61140 enable prototype pollution?

This vulnerability is classified as CWE-1321, known as Prototype Pollution. It occurs when an application improperly handles user-supplied input, allowing an attacker to inject properties into the base JavaScript objects that other parts of the program rely on. By overwriting these shared structures, an attacker can influence the program's logic, potentially leading to unauthorized data modification or crashes.

Do I need to be authenticated to trigger this flaw?

No, authentication is not required to trigger this vulnerability. The flaw exists in how the library processes JSON input. If an application passes untrusted, maliciously crafted JSON data into the affected function, the library may process it in a way that pollutes the object prototype. However, the library is not inherently vulnerable on its own; it must be used by an application that accepts and processes external input to create an actionable attack path.

Why does Halo Surface Signal categorize this as possible exposure?

Halo Surface Signal assigns a 'Possible' label because jsonpath is a library, not a standalone service. While the vulnerability itself is critical, its impact depends on whether an internet-facing application uses this specific library to handle untrusted input. If your application is internal-only or does not process external data through this library, the risk profile is significantly different than an application exposed to the public internet.

What should I do if my applications use this library?

Your first step is to perform an inventory to identify every application in your environment that includes dchester jsonpath version 1.1.1. Once you have identified these systems, assess how they ingest external data to determine which instances are reachable from the internet. Coordinate with the relevant development or platform teams to prioritize remediation based on the business criticality and the level of exposure of each affected application.

References