jmespath.php before version 2.9.1 contains an improper input validation vulnerability (CWE-20) that allows an attacker to inject and execute arbitrary PHP code via crafted JMESPath expressions when using the JmesPath\CompilerRuntime. The vulnerability arises because the compiler emits parsed function names into generated PHP source code without sufficient escaping, resulting in attacker-controlled PHP code being written to cache files and subsequently executed. This can lead to full compromise of the PHP application. The vulnerability is addressed in version 2.9.1 by fixing the escaping issue. Workarounds include disabling JP_PHP_COMPILE and avoiding the use of CompilerRuntime with untrusted input, instead using the safer AstRuntime.

Successful exploitation allows remote attackers to execute arbitrary PHP code on the server without any privileges or user interaction, leading to complete compromise of confidentiality, integrity, and availability of the affected system. The CVSS v3.1 base score is 9.8 (critical), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and full impact on confidentiality, integrity, and availability.

A fix is available in jmespath.php version 2.9.1 and later. Users should upgrade to version 2.9.1 or above to remediate this vulnerability. Until upgrading, users should disable JP_PHP_COMPILE and avoid using JmesPath\CompilerRuntime with untrusted or attacker-controlled expressions. Instead, use the default AstRuntime for evaluating untrusted expressions. Applications that must accept untrusted expressions should ensure these are never evaluated by the compiler runtime to prevent code execution.