Plattform
nodejs
Komponente
object-path
Behoben in
0.11.8
CVE-2021-3805 identifies a Prototype Pollution vulnerability within the object-path library. This flaw allows attackers to manipulate the prototype of JavaScript objects, potentially leading to unexpected application behavior or denial-of-service. The vulnerability affects versions of object-path up to and including 0.11.8, and a patch is available in version 0.11.8.
Successful exploitation of CVE-2021-3805 allows an attacker to inject malicious properties into JavaScript object prototypes. This can lead to a variety of consequences, including denial of service, unexpected application behavior, and potentially even remote code execution depending on how the affected application utilizes the object-path library. The impact is amplified if the application relies heavily on the modified prototypes for critical functionality. While direct remote code execution is not guaranteed, the ability to manipulate object behavior creates a significant attack surface.
CVE-2021-3805 is not currently listed on KEV or EPSS. The CVSS score of 7.5 (HIGH) indicates a moderate probability of exploitation. Public proof-of-concept (POC) code may exist or emerge, increasing the risk. Published on 2021-09-17 by NVD.
Applications that utilize the object-path library, particularly those processing untrusted user input, are at risk. Node.js projects relying on object-path as a dependency are especially vulnerable. Projects using older versions of Node.js that may have outdated dependency management practices are also at increased risk.
• nodejs:
npm list object-pathThis command will list installed versions of object-path. Check if the version is less than or equal to 0.11.8.
• nodejs:
npm audit object-pathThis command will check for known vulnerabilities in your project's dependencies, including CVE-2021-3805.
• generic web: Examine application logs for unusual object property modifications or errors related to object-path usage. Look for patterns indicating malicious path manipulation.
disclosure
Exploit-Status
EPSS
0.65% (71% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2021-3805 is to upgrade to version 0.11.8 or later of the object-path library. If upgrading is not immediately feasible, consider implementing input validation and sanitization to prevent malicious data from being passed to the object-path library. Web application firewalls (WAFs) configured to detect prototype pollution attempts could provide an additional layer of defense. Monitor application logs for unusual object property modifications.
Actualice la dependencia object-path a la versión 0.11.8 o superior. Esto corrige la vulnerabilidad de Prototype Pollution. Ejecute `npm install object-path@latest` o `yarn upgrade object-path` para actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2021-3805 is a Prototype Pollution vulnerability affecting versions of object-path up to 0.11.8. It allows attackers to modify object prototypes, potentially leading to application instability.
You are affected if your project uses object-path version 0.11.8 or earlier. Check your project dependencies using npm list object-path.
Upgrade to version 0.11.8 or later of object-path. If upgrading is not possible immediately, implement input validation to prevent malicious path manipulation.
There is currently no evidence of active exploitation in the wild, but public proof-of-concept exploits exist.
Refer to the object-path repository on GitHub for updates and advisories: https://github.com/substack/node-object-path
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.