VDB

CVE-2021-23434

CVE-2021-23434 PUBLISHED

This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.

EPSS 0.39% · 60.4th percentile

Risk Scores

EPSS Score
0.39%
60.4th percentile

Affected Products

VendorProductVersions
Ubuntu:18.04:LTSnode-object-path0, 0.11.3-1
Ubuntu:24.04:LTSnode-object-path0, *
Ubuntu:20.04:LTSnode-object-path0, 0.11.4-2
Ubuntu:25.10node-object-path0.11.8+~0.11.1-2, 0

Timeline

  • Aug 27, 2021 CVE Published
  • Aug 28, 2021 EPSS Score
  • Sep 2, 2021 EPSS Score
  • Oct 25, 2021 EPSS Score
  • Dec 22, 2021 EPSS Score
  • Jan 6, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • Apr 17, 2022 EPSS Score
  • Jun 15, 2022 EPSS Score
  • Aug 13, 2022 EPSS Score
  • Dec 7, 2022 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›