CVE-2021-23518

NameCVE-2021-23518
DescriptionThe package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as __proto__, the attribute of the object is accessed instead of a path. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3221-1
Debian Bugs1004338

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-cached-path-relative (PTS)buster1.0.1-2vulnerable
buster (security)1.0.1-2+deb10u1fixed
bullseye1.0.2-1+deb11u1fixed
sid, trixie, bookworm1.1.0+~1.0.0-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-cached-path-relativesourcebuster1.0.1-2+deb10u1DLA-3221-1
node-cached-path-relativesourcebullseye1.0.2-1+deb11u1
node-cached-path-relativesource(unstable)1.1.0+~1.0.0-11004338

Notes

https://github.com/ashaffer/cached-path-relative/commit/40c73bf70c58add5aec7d11e4f36b93d144bb760
results from incomplete fix for https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
which was CVE-2018-16472.
Search for package or bug name: Reporting problems