प्लेटफ़ॉर्म
nodejs
घटक
object-path
में ठीक किया गया
0.11.6
0.11.6
CVE-2021-23434 describes a type confusion vulnerability affecting the object-path Node.js package. This flaw allows attackers to bypass a previous vulnerability (CVE-2020-15256) by manipulating path components, potentially leading to unauthorized access or code execution. The vulnerability impacts versions of object-path before 0.11.6, and a patch is available in version 0.11.6.
The core of this vulnerability lies in how object-path handles array-based path components. Specifically, the condition currentPath === 'proto' incorrectly returns false when currentPath is ['proto'] due to type differences. This bypass allows attackers to circumvent security checks designed to prevent access to sensitive properties. Successful exploitation could enable an attacker to read or modify arbitrary properties within the targeted JavaScript object, potentially leading to information disclosure or remote code execution depending on the application's context. The impact is amplified if the object-path package is used in a critical part of an application's data processing pipeline.
CVE-2021-23434 was publicly disclosed on September 1, 2021. There is no indication of active exploitation campaigns targeting this vulnerability at the time of writing. No public proof-of-concept (PoC) code has been released, but the bypass nature of the vulnerability suggests that a PoC could be developed relatively easily. The vulnerability is not currently listed on the CISA KEV catalog.
Applications that rely on the object-path Node.js package for data manipulation or configuration parsing are at risk. This includes projects using object-path as a dependency, especially those that process user-supplied data or handle sensitive configuration information. Projects that have previously attempted to mitigate CVE-2020-15256 may still be vulnerable if they have not upgraded to a patched version of object-path.
• nodejs: Use npm audit to identify vulnerable versions of object-path in your project dependencies.
npm audit object-path• nodejs: Check the version of object-path installed in your Node.js projects using npm list or require('object-path').
npm list object-path• generic web: Examine application logs for unusual object property access patterns, particularly those involving array-based path components.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.39% (60% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2021-23434 is to immediately upgrade the object-path package to version 0.11.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation to ensure that path components are not provided as arrays. While a WAF or proxy cannot directly address this vulnerability, they can be configured to monitor for suspicious patterns in requests that might indicate an attempted exploitation. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring for unusual object property access patterns within your application's logs is recommended.
Actualice la versión del paquete object-path a la versión 0.11.6 o superior. Esto corrige la vulnerabilidad de prototype pollution al evitar la confusión de tipos cuando los componentes de la ruta son arrays.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2021-23434 is a type confusion vulnerability in the object-path Node.js package, allowing bypass of CVE-2020-15256 by manipulating path components as arrays.
You are affected if you are using object-path versions prior to 0.11.6. Check your project dependencies with npm audit object-path.
Upgrade to object-path version 0.11.6 or later. If immediate upgrade is not possible, implement input validation to prevent array-based path components.
There is no current evidence of active exploitation campaigns targeting CVE-2021-23434, but a PoC could be developed.
Refer to the object-path project's repository or related security advisories for the official advisory.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।