CVE-2021-41097

Prototype pollution in aurelia-path

CVSS 9.1 CRITICALEPSS 4.9%CWE-1321

In short

A vulnerability in the aurelia-path library allows attackers to manipulate the core Object prototype by crafting malicious URLs, potentially compromising any Aurelia application that parses user-controlled paths or URLs.

Technical detail

Prototype pollution vulnerability in aurelia-path versions before 1.1.7 exploited via specially crafted URL parameters (e.g., __proto__[property]=value). Attack vector requires user interaction to navigate or parse attacker-controlled URLs; impact includes arbitrary modification of Object prototype affecting all application objects and potentially leading to remote code execution or denial of service.

Summary generated and translated by AI from the official description.

aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could allow an attacker to change the prototype of base object class `Object` by tricking an application to parse the following URL: `https://aurelia.io/blog/?__proto__[asdf]=asdf`. The problem is patched in version `1.1.7`.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products

aurelia · path

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/aurelia/path/commit/7c4e235433a4a2df9acc313fbe891758084fdec1 https://github.com/aurelia/path/issues/44 https://github.com/aurelia/path/releases/tag/1.1.7 https://github.com/aurelia/path/security/advisories/GHSA-3c9c-2p65-qvwv https://www.npmjs.com/package/aurelia-path