CVE-2021-23434
type confusion vulnerability in object-path
What is CVE-2021-23434 About?
The 'object-path' package before 0.11.6 is vulnerable to a type confusion issue that can bypass CVE-2020-15256. This occurs when array path components are used in the path parameter, leading to an incorrect type comparison. Exploiting this could allow access to forbidden properties.
Affected Software
Technical Details
The 'object-path' package (before 0.11.6) suffers from a type confusion vulnerability that can lead to a bypass of the fix for CVE-2020-15256. The vulnerability occurs when array path components are used within the 'path' parameter. Specifically, the condition `currentPath === '__proto__'`, intended to prevent prototype pollution, fails because if `currentPath` is an array (e.g., `['__proto__']`), the `===` operator returns false due to differing types. This allows an attacker to bypass the protection and potentially manipulate object prototypes.
What is the Impact of CVE-2021-23434?
Successful exploitation may allow attackers to bypass security restrictions, potentially leading to prototype pollution, arbitrary property modification, or other unexpected application behavior.
What is the Exploitability of CVE-2021-23434?
Exploitation of this type confusion vulnerability involves providing specially crafted input where path components are arrays, allowing an attacker to bypass a security check. The complexity is moderate, requiring knowledge of the internal workings of the 'object-path' package and the specific type confusion. Authentication might be required to interact with the application logic that uses 'object-path', but the vulnerability itself doesn't inherently require privileges beyond the application's context. This can be a remote vulnerability if the application processes untrusted input through the vulnerable function. The risk factors include applications that dynamically construct object paths from user input or process untrusted JSON/object structures.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23434?
About the Fix from Resolved Security
The patch fixes CVE-2021-23434 by ensuring all path segments used in the object property assignment are normalized to strings, preventing crafted non-string keys (like arrays containing dangerous property names) from bypassing existing security checks for properties such as proto or constructor. This stops malicious payloads that could manipulate the prototype chain and thus prevents prototype pollution.
Available Upgrade Options
- object-path
- <0.11.6 → Upgrade to 0.11.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/mariocasciaro/object-path%230116
- https://github.com/mariocasciaro/object-path/commit/7bdf4abefd102d16c163d633e8994ef154cab9eb
- https://nvd.nist.gov/vuln/detail/CVE-2021-23434
- https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html
- https://github.com/mariocasciaro/object-path%230116
- https://github.com/mariocasciaro/object-path/commit/7bdf4abefd102d16c163d633e8994ef154cab9eb
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1570423
- https://osv.dev/vulnerability/GHSA-v39p-96qg-c8rf
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1570423
- https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html
What are Similar Vulnerabilities to CVE-2021-23434?
Similar Vulnerabilities: CVE-2020-15256 , CVE-2021-23383 , CVE-2020-28283 , CVE-2020-28281 , CVE-2019-10744
