CVE-2024-21534

Summary

CVE-2024-21534 identifies a critical vulnerability in versions of the package jsonpath-plus prior to 10.0.0, which allows for Remote Code Execution (RCE) due to improper input sanitization. This vulnerability can be exploited by attackers to execute arbitrary code on affected systems that utilize the package, representing a significant risk to an organization’s integrity and confidentiality. Although a fix is available, the unsafe default usage of the vm module remains an option post-remediation, necessitating caution in its application. The vulnerability has an exploitability score of 3.9 and a base severity rating of 9.8 on the CVSS scale, indicating high potential for impact with low complexity and no required user interaction. Organizations using jsonpath-plus should upgrade to version 10.0.0 or later to mitigate this risk effectively.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.