CVE-2021-23434 — Vulnetix

Try Vulnetix Request Demo

CVE-2021-23434 PUBLISHED

This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.

EPSS 0.20% · 42.2th percentile

Risk Scores

EPSS Score

0.20%

42.2th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:18.04:LTS	node-object-path	0, 0.11.3-1
Ubuntu:24.04:LTS	node-object-path	0, *
Ubuntu:20.04:LTS	node-object-path	0, 0.11.4-2
Ubuntu:25.10	node-object-path	0, 0.11.8+~0.11.1-2

Timeline

Aug 27, 2021 CVE Published
Aug 28, 2021 EPSS Score
Sep 2, 2021 EPSS Score
Oct 25, 2021 EPSS Score
Dec 21, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Apr 15, 2022 EPSS Score
Jun 12, 2022 EPSS Score
Aug 9, 2022 EPSS Score
Dec 2, 2022 EPSS Score

References

https://ubuntu.com/security/CVE-2021-23434 third-party-advisory
https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453 third-party-advisory
https://github.com/mariocasciaro/object-path/commit/7bdf4abefd102d16c163d633e8994ef154cab9eb third-party-advisory
https://github.com/mariocasciaro/object-path%230116 third-party-advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1570423 third-party-advisory
https://ubuntu.com/security/notices/USN-5967-1 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2021-23434 third-party-advisory

Open in Interactive Console →