GHSA-8v63-cqqc-6r2c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8v63-cqqc-6r2c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-8v63-cqqc-6r2c/GHSA-8v63-cqqc-6r2c.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-8v63-cqqc-6r2c
- Aliases
- Published
- 2021-09-20T20:46:43Z
- Modified
- 2023-11-01T05:30:41.787451Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Prototype Pollution in object-path
- Details
-
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The
del()function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties liketoStringon all objects. - Database specific
{ "nvd_published_at": "2021-09-17T06:15:00Z", "cwe_ids": [ "CWE-1321", "CWE-915" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-09-20T20:13:12Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-3805
- https://github.com/mariocasciaro/object-path/commit/4f0903fd7c832d12ccbe0d9c3d7e25d985e9e884
- https://github.com/mariocasciaro/object-path
- https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053
- https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html
Affected packages
npm / object-path
Package
- Name
- object-path
- View open source insights on deps.dev
- Purl
- pkg:npm/object-path