CVE-2021-23518 — Prototype Pollution in Project Cached-path-relative

CWE-1321 — Prototype Pollution CWE-915 — Improperly Controlled Modification of Dynamically-Determined Object Attributes6 documents5 sources

Severity

9.8CRITICALNVD

EPSS

0.6%

top 29.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cached-path-relative Project Cached-path-relative Debian Node-cached-path-relative Debian Linux

Timeline

PublishedJan 21

Latest updateJan 27

Description

The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as __proto__, the attribute of the object is accessed instead of a path. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/node-cached-path-relative< node-cached-path-relative 1.1.0+~1.0.0-1 (bookworm)

▶CVEListV5cached-path-relative_project/cached-path-relativeunspecified — 1.1.0

▶NVDcached-path-relative_project/cached-path-relative< 1.1.0

▶npmcached-path-relative_project/cached-path-relative< 1.1.0

Also affects: Debian Linux 10.0

Patches

Patch: github.com ↗Patch: snyk.io ↗Patch: snyk.io ↗

🔴Vulnerability Details

OSV

Prototype Pollution in cached-path-relative↗2022-01-27

▶

GHSA

Prototype Pollution in cached-path-relative↗2022-01-27

▶

OSV

CVE-2021-23518: The package cached-path-relative before 1↗2022-01-21

▶

📋Vendor Advisories

Red Hat

cached-path-relative: Prototype Pollution via the cache variable↗2022-01-21

▶

Debian

CVE-2021-23518: node-cached-path-relative - The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollut...↗2021

▶