diff --git a/package-lock.json b/package-lock.json
index fbd86bbbf..af76ee067 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -57,7 +57,7 @@
         "jsesc": "^3.0.2",
         "json5": "^2.2.3",
         "jsonata": "^2.0.3",
-        "jsonpath-plus": "^9.0.0",
+        "jsonpath-plus": "^10.3.0",
         "jsonwebtoken": "8.5.1",
         "jsqr": "^1.4.0",
         "jsrsasign": "^11.1.0",
@@ -12503,21 +12503,21 @@
       }
     },
     "node_modules/jsonpath-plus": {
-      "version": "9.0.0",
-      "resolved": "https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-9.0.0.tgz",
-      "integrity": "sha512-bqE77VIDStrOTV/czspZhTn+o27Xx9ZJRGVkdVShEtPoqsIx5yALv3lWVU6y+PqYvWPJNWE7ORCQheQkEe0DDA==",
+      "version": "10.3.0",
+      "resolved": "https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-10.3.0.tgz",
+      "integrity": "sha512-8TNmfeTCk2Le33A3vRRwtuworG/L5RrgMvdjhKZxvyShO+mBu2fP50OWUjRLNtvw344DdDarFh9buFAZs5ujeA==",
       "license": "MIT",
       "dependencies": {
-        "@jsep-plugin/assignment": "^1.2.1",
-        "@jsep-plugin/regex": "^1.0.3",
-        "jsep": "^1.3.8"
+        "@jsep-plugin/assignment": "^1.3.0",
+        "@jsep-plugin/regex": "^1.0.4",
+        "jsep": "^1.4.0"
       },
       "bin": {
         "jsonpath": "bin/jsonpath-cli.js",
         "jsonpath-plus": "bin/jsonpath-cli.js"
       },
       "engines": {
-        "node": ">=14.0.0"
+        "node": ">=18.0.0"
       }
     },
     "node_modules/jsonwebtoken": {
diff --git a/package.json b/package.json
index 1c2ef3ae1..ec3f0520e 100644
--- a/package.json
+++ b/package.json
@@ -143,7 +143,7 @@
     "jsesc": "^3.0.2",
     "json5": "^2.2.3",
     "jsonata": "^2.0.3",
-    "jsonpath-plus": "^9.0.0",
+    "jsonpath-plus": "^10.3.0",
     "jsonwebtoken": "8.5.1",
     "jsqr": "^1.4.0",
     "jsrsasign": "^11.1.0",
diff --git a/tests/operations/tests/Code.mjs b/tests/operations/tests/Code.mjs
index c62c76302..0a25c0e81 100644
--- a/tests/operations/tests/Code.mjs
+++ b/tests/operations/tests/Code.mjs
@@ -322,8 +322,21 @@ TestRegister.addTests([
                 ]
             }
         ],
-        expectedMatch: /^Invalid JPath expression: jsonPath: self is not defined:/
+        expectedMatch: /^Invalid JPath expression: Unexpected "{" at character 1/
     },
+    {
+        name: "JPath Expression: Script-based RCE",
+        input: "[{}]",
+        recipeConfig: [
+            {
+                "op": "JPath expression",
+                "args": [
+                    "$..[?(p=\"console.log(this.process.mainModule.require('child_process').execSync('id').toString())\";a=''[['constructor']][['constructor']](p);a())]",
+                    "\n"
+                ]
+            }
+        ],
+        expectedMatch: /^Invalid JPath expression: jsonPath: Cannot read properties of {2}\(reading 'constructor'\): /    },
     {
         name: "CSS selector",
         input: '<div id="test">\n<p class="a">hello</p>\n<p>world</p>\n<p class="a">again</p>\n</div>',