Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04djYzLWNxcWMtNnIyY80V4w
Prototype Pollution in object-path
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The del()
function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like toString
on all objects.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04djYzLWNxcWMtNnIyY80V4w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 5 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-8v63-cqqc-6r2c, CVE-2021-3805
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3805
- https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053
- https://github.com/mariocasciaro/object-path/commit/4f0903fd7c832d12ccbe0d9c3d7e25d985e9e884
- https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html
- https://github.com/advisories/GHSA-8v63-cqqc-6r2c
Blast Radius: 44.8
Affected Packages
npm:object-path
Dependent packages: 1,645Dependent repositories: 950,121
Downloads: 8,291,660 last month
Affected Version Ranges: < 0.11.8
Fixed in: 0.11.8
All affected versions: 0.0.1, 0.1.0, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.11.7
All unaffected versions: 0.11.8