{
  "threat_severity" : "Important",
  "public_date" : "2026-01-28T00:00:00Z",
  "bugzilla" : {
    "description" : "jsonpath: jsonpath: Prototype Pollution vulnerability in the value function",
    "id" : "2433946",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2433946"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-502",
  "details" : [ "The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.", "A flaw was found in jsonpath. The `value` function is vulnerable to Prototype Pollution, a type of vulnerability that allows an attacker to inject or modify properties of an object's prototype. This can lead to various impacts, including arbitrary code execution, privilege escalation, or denial of service (DoS)." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2.5",
    "release_date" : "2026-03-06T00:00:00Z",
    "advisory" : "RHSA-2026:3962",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
    "package" : "ansible-automation-platform-25/lightspeed-rhel8:sha256:069c671a4745f1059e48d1813e593fc33665d9c4c1e0b14c12a0ca3bc8d32080"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.6",
    "release_date" : "2026-03-06T00:00:00Z",
    "advisory" : "RHSA-2026:3960",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9",
    "package" : "ansible-automation-platform-26/lightspeed-rhel9:sha256:0b6086acb5dc2c46ba74583bbe1b39f22317a386fa4b89b6f592dfe6e9e10511"
  }, {
    "product_name" : "Red Hat Developer Hub 1.8",
    "release_date" : "2026-03-30T00:00:00Z",
    "advisory" : "RHSA-2026:6174",
    "cpe" : "cpe:/a:redhat:rhdh:1.8::el9",
    "package" : "rhdh/rhdh-hub-rhel9:sha256:2e8ed97c6e6d232f66bb81dc074b8bb2712dc54004cc565fcb1d2b43a9bb2046"
  }, {
    "product_name" : "Red Hat Developer Hub 1.9",
    "release_date" : "2026-04-07T00:00:00Z",
    "advisory" : "RHSA-2026:6802",
    "cpe" : "cpe:/a:redhat:rhdh:1.9::el9",
    "package" : "rhdh/rhdh-hub-rhel9:sha256:5e564d74dd0a96027d9283991bda32a13b87384a9c9572456ce318dfac7e9f7d"
  }, {
    "product_name" : "Self-service automation portal 2.0",
    "release_date" : "2026-02-05T00:00:00Z",
    "advisory" : "RHSA-2026:2180",
    "cpe" : "cpe:/a:redhat:ansible_portal:2.0",
    "package" : "ansible-automation-platform/automation-portal:sha256:5ba75c11ba1f6f1b395bc4b6e05c7f543efa16f7d71d75201cabe56a82ff53d8"
  }, {
    "product_name" : "Self-service automation portal 2.1",
    "release_date" : "2026-02-05T00:00:00Z",
    "advisory" : "RHSA-2026:2181",
    "cpe" : "cpe:/a:redhat:ansible_portal:2.1",
    "package" : "ansible-automation-platform/automation-portal:sha256:140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76"
  } ],
  "package_state" : [ {
    "product_name" : "Migration Toolkit for Virtualization",
    "fix_state" : "Affected",
    "package_name" : "migration-toolkit-virtualization/mtv-console-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:migration_toolkit_virtualization:2"
  }, {
    "product_name" : "Migration Toolkit for Virtualization",
    "fix_state" : "Will not fix",
    "package_name" : "mtv-candidate/mtv-console-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:migration_toolkit_virtualization:2"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-pipelines/pipelines-hub-api-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-pipelines/pipelines-hub-db-migration-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-hub-ui-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-on-clouds/aoc-azure-aap-installer-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/disk-image-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Will not fix",
    "package_name" : "io.hawt-hawtio-online",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-kf-notebook-controller-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-notebook-controller-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Not affected",
    "package_name" : "quay/quay-rhel8",
    "cpe" : "cpe:/a:redhat:quay:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-61140\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-61140\nhttps://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d\nhttps://github.com/dchester/jsonpath" ],
  "name" : "CVE-2025-61140",
  "csaw" : false
}