VDB
CVE-2021-23518
CVE-2021-23518
PUBLISHED
The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as __proto__, the attribute of the object is accessed instead of a path. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
EPSS 0.65% · 71.2th percentile
Risk Scores
EPSS Score
0.65%
71.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:25.10 | node-cached-path-relative | 1.1.0+~1.0.0-3, 0 |
| Ubuntu:18.04:LTS | node-cached-path-relative | 1.0.1-1, 0 |
| Ubuntu:24.04:LTS | node-cached-path-relative | 1.1.0+~1.0.0-3, 0 |
| Ubuntu:22.04:LTS | node-cached-path-relative | 0, 1.1.0+~1.0.0-1, 1.0.2-1 |
| Ubuntu:20.04:LTS | node-cached-path-relative | 0, 1.0.2-1 |
Timeline
- Jan 21, 2022 CVE Published
- Jan 22, 2022 EPSS Score
- Mar 16, 2022 EPSS Score
- May 8, 2022 EPSS Score
- Aug 23, 2022 EPSS Score
- Oct 15, 2022 EPSS Score
- Dec 7, 2022 EPSS Score
- Jan 29, 2023 EPSS Score
- Feb 3, 2023 CVE Updated
- Mar 7, 2023 EPSS Score
- Mar 23, 2023 EPSS Score
- Jul 7, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-23518 third-party-advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2348246 third-party-advisory
- https://github.com/ashaffer/cached-path-relative/commit/40c73bf70c58add5aec7d11e4f36b93d144bb760 third-party-advisory
- https://snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-2342653 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-23518 third-party-advisory