VDB

CVE-2021-23518

CVE-2021-23518 PUBLISHED

The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as __proto__, the attribute of the object is accessed instead of a path. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573

EPSS 0.65% · 71.2th percentile

Risk Scores

EPSS Score
0.65%
71.2th percentile

Affected Products

VendorProductVersions
Ubuntu:25.10node-cached-path-relative1.1.0+~1.0.0-3, 0
Ubuntu:18.04:LTSnode-cached-path-relative1.0.1-1, 0
Ubuntu:24.04:LTSnode-cached-path-relative1.1.0+~1.0.0-3, 0
Ubuntu:22.04:LTSnode-cached-path-relative0, 1.1.0+~1.0.0-1, 1.0.2-1
Ubuntu:20.04:LTSnode-cached-path-relative0, 1.0.2-1

Timeline

  • Jan 21, 2022 CVE Published
  • Jan 22, 2022 EPSS Score
  • Mar 16, 2022 EPSS Score
  • May 8, 2022 EPSS Score
  • Aug 23, 2022 EPSS Score
  • Oct 15, 2022 EPSS Score
  • Dec 7, 2022 EPSS Score
  • Jan 29, 2023 EPSS Score
  • Feb 3, 2023 CVE Updated
  • Mar 7, 2023 EPSS Score
  • Mar 23, 2023 EPSS Score
  • Jul 7, 2023 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›