This repository was archived by the owner on Jan 11, 2026. It is now read-only.
This repository was archived by the owner on Jan 11, 2026. It is now read-only.
Remote code execution security vulnerability #20
Description
If an attacker can influence the json path expression, they can trivially run arbitrary code on your server.
Example expressions:
$[(phpinfo())]
$[?(phpinfo())]
The string phpinfo() can be replaced with any PHP code.
I hope nobody is still using this library.
We switched to https://github.com/Galbar/JsonPath-PHP which does not have this problem, as it does not use PHP's eval() function.