Arbitrary Code Injection Affecting mtdowling/jmespath.php package, versions <2.9.1


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.32% (24th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PHP-MTDOWLINGJMESPATHPHP-17337032
  • published14 Jun 2026
  • disclosed12 Jun 2026
  • creditedorian

Introduced: 12 Jun 2026

NewCVE-2026-54133  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade mtdowling/jmespath.php to version 2.9.1 or higher.

Overview

Affected versions of this package are vulnerable to Arbitrary Code Injection via unescaped JMESPath handling in the CompilerRuntime. An attacker can execute PHP source code by supplying a malicious JMESPath expression, which is included in a cache file and subsequently executed. In addition to the JmesPath\CompilerRuntime vector, if JP_PHP_COMPILE is enabled, JmesPath\search() on the malicious expression string is also an exploitable vector.

Workaround

This vulnerability can be avoided by using the default AstRuntime (without JP_PHP_COMPILE) for untrusted expressions.

CVSS Base Scores

version 4.0
version 3.1