Platform
nodejs
Component
object-path
Fixed in
0.11.8
CVE-2021-3805 identifies a Prototype Pollution vulnerability within the object-path library. This flaw allows attackers to manipulate the prototype of JavaScript objects, potentially leading to unexpected application behavior or denial-of-service. The vulnerability affects versions of object-path up to and including 0.11.8, and a patch is available in version 0.11.8.
Prototype Pollution vulnerabilities arise when an attacker can inject properties into the prototype of a built-in JavaScript object. This injected property is then inherited by all instances of that object, effectively poisoning the entire object hierarchy. In the context of object-path, a successful exploitation could allow an attacker to modify the behavior of the library, potentially leading to denial-of-service by corrupting data structures or introducing unexpected errors. While direct remote code execution is unlikely, the ability to manipulate object properties can have cascading effects throughout an application, impacting data integrity and potentially enabling privilege escalation depending on how the library is used.
CVE-2021-3805 was publicly disclosed on September 17, 2021. There is no indication of this vulnerability being actively exploited in the wild, nor is it listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of prototype pollution attacks against object-path. The EPSS score is likely low to medium, reflecting the need for specific conditions and attacker knowledge to exploit the vulnerability.
Exploit Status
EPSS
0.65% (71% percentile)
CVSS Vector
The primary mitigation for CVE-2021-3805 is to upgrade to version 0.11.8 or later of the object-path library. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation and sanitization to prevent malicious data from being passed to the object-path library. Specifically, carefully scrutinize any user-supplied data used in path expressions. While a WAF cannot directly address prototype pollution, it can be configured to block requests containing suspicious path patterns. There are no specific Sigma or YARA rules available for this vulnerability, but monitoring for unusual object property modifications within your application's logs is recommended.
Update the object-path dependency to version 0.11.8 or higher. This fixes the Prototype Pollution vulnerability. Run `npm install object-path@latest` or `yarn upgrade object-path` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-3805 is a Prototype Pollution vulnerability affecting versions of object-path up to 0.11.8. It allows attackers to modify object prototypes, potentially leading to application instability.
You are affected if your project uses object-path version 0.11.8 or earlier. Check your project dependencies using npm list object-path.
Upgrade to version 0.11.8 or later of object-path. If upgrading is not possible immediately, implement input validation to prevent malicious path manipulation.
There is currently no evidence of active exploitation in the wild, but public proof-of-concept exploits exist.
Refer to the object-path repository on GitHub for updates and advisories: https://github.com/substack/node-object-path
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.