CVE-2018-16472
Prototype Pollution vulnerability in cached-path-relative (npm)
What is CVE-2018-16472 About?
The `cached-path-relative` package is vulnerable to prototype pollution. This allows an attacker to inject properties into JavaScript object prototypes. Exploitation is relatively easy by manipulating object properties.
Affected Software
Technical Details
The vulnerability in cached-path-relative is prototype pollution, a type of injection vulnerability specific to JavaScript. It occurs when a function or method in the library inadvertently allows an attacker to add or modify properties on the Object.prototype. Since Object.prototype is the base for all JavaScript objects, injecting properties here means that these properties can then appear on almost any object in the application, potentially overwriting existing properties or introducing malicious ones. While the descriptive text does not provide a specific vector, prototype pollution often occurs through insecure merging, cloning, or parsing functions that do not properly validate property names.
What is the Impact of CVE-2018-16472?
Successful exploitation may allow attackers to inject arbitrary properties into object prototypes, potentially leading to remote code execution, privilege escalation, or denial of service through unexpected application behavior.
What is the Exploitability of CVE-2018-16472?
Exploitation of this prototype pollution vulnerability is of moderate complexity. It typically requires an attacker to provide specially crafted input that is then processed by the vulnerable cached-path-relative package in a way that allows property injection into Object.prototype. There are no explicit authentication or privilege requirements; exploitation usually depends on the application's handling of untrusted input. The attack vector could be remote or local, depending on how the application exposes the vulnerable functionality. The main prerequisite is that the application uses the vulnerable cached-path-relative version and processes user-controlled data. Risk factors increase when an application serializes/deserializes untrusted data, performs deep merges of objects from untrusted sources, or does not properly sanitize user-controlled object keys.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-16472?
About the Fix from Resolved Security
The patch changes the initialization of cache from a plain object ({}) to an object with a null prototype (Object.create(null)), preventing it from inheriting properties like prototype pollution vectors. This fixes CVE-2018-16472 by ensuring an attacker cannot manipulate object prototype properties through user-controlled cache keys.
Available Upgrade Options
- cached-path-relative
- <1.0.2 → Upgrade to 1.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/advisories/GHSA-hc9w-4p87-j549
- https://lists.debian.org/debian-lts-announce/2022/12/msg00006.html
- https://hackerone.com/reports/390847
- https://nvd.nist.gov/vuln/detail/CVE-2018-16472
- https://www.npmjs.com/advisories/739
- https://github.com/ashaffer/cached-path-relative/issues/3
- https://osv.dev/vulnerability/GHSA-hc9w-4p87-j549
- https://hackerone.com/reports/390847
- https://lists.debian.org/debian-lts-announce/2022/12/msg00006.html
- https://github.com/nodejs/security-wg/blob/master/vuln/npm/480.json
What are Similar Vulnerabilities to CVE-2018-16472?
Similar Vulnerabilities: CVE-2019-10744 , CVE-2020-28285 , CVE-2020-28500 , CVE-2020-28501 , CVE-2021-23382
