Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXYzOXAtOTZxZy1jOHJm

Moderate EPSS: 0.00064% (0.20445 Percentile) EPSS:
Permalink JSON

Prototype Pollution in object-path

Affected Packages Affected Versions Fixed Versions
npm:object-path < 0.11.6 0.11.6
1,645 Dependent packages
950,121 Dependent repositories
9,961,372 Downloads last month

Affected Version Ranges

All affected versions

0.0.1, 0.1.0, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5

All unaffected versions

0.11.6, 0.11.7, 0.11.8

This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.

References:

Identifiers

GHSA-v39p-96qg-c8rf

CVE-2021-23434

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00064

EPSS Percentile: 0.20445

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/mariocasciaro/object-path

Date and time

Published

almost 4 years ago

Updated

almost 2 years ago

API

JSON