Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13ZzZnLXBwdngtOTI3aM0lrg
Prototype Pollution in cached-path-relative
The package cached-path-relative before 1.1.0 is vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as proto, the attribute of the object is accessed instead of a path. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
Permalink: https://github.com/advisories/GHSA-wg6g-ppvx-927hJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13ZzZnLXBwdngtOTI3aM0lrg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-wg6g-ppvx-927h, CVE-2021-23518
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23518
- https://github.com/ashaffer/cached-path-relative/commit/40c73bf70c58add5aec7d11e4f36b93d144bb760
- https://snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-2342653
- https://lists.debian.org/debian-lts-announce/2022/12/msg00006.html
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2348246
- https://github.com/advisories/GHSA-wg6g-ppvx-927h
Blast Radius: 37.2
Affected Packages
npm:cached-path-relative
Dependent packages: 124Dependent repositories: 125,416
Downloads: 4,920,250 last month
Affected Version Ranges: < 1.1.0
Fixed in: 1.1.0
All affected versions: 1.0.0, 1.0.1, 1.0.2
All unaffected versions: 1.1.0