CVE-2021-23438
Type Confusion vulnerability in mpath (npm)
What is CVE-2021-23438 About?
This type confusion vulnerability in the 'mpath' package before 0.8.4 can lead to a bypass of a previous security fix (CVE-2018-16490). The vulnerability arises from differing behaviors of 'indexOf()' on arrays versus strings when `['__proto__']` is used as input. The impact is a potential bypass of security mechanisms, possibly leading to prototype pollution. Exploitation requires careful crafting of input that triggers the type confusion.
Affected Software
Technical Details
The 'mpath' package before version 0.8.4 suffers from a type confusion vulnerability that allows an attacker to bypass the fix for CVE-2018-16490. The core issue lies in the condition ignoreProperties.indexOf(parts[i]) !== -1. When ignoreProperties is an array and parts[i] is specifically ['__proto__'] (an array containing the string 'proto'), the JavaScript engine calls Array.prototype.indexOf(). This method returns -1 if the elements do not strictly match (i.e., ['__proto__'] is not ['__proto__'] by reference or deep comparison in indexOf). However, if parts[i] were a string, String.prototype.indexOf() would be implicitly called. This type confusion, where the expected string comparison does not occur for ['__proto__'], allows the __proto__ property to be mishandled or not properly ignored, potentially leading to prototype pollution by circumventing security checks. The attack vector involves providing input that causes parts[i] to resolve to ['__proto__'] during specific property access or modification operations within 'mpath'.
What is the Impact of CVE-2021-23438?
Successful exploitation may allow attackers to bypass security mechanisms, potentially leading to prototype pollution and arbitrary property modification.
What is the Exploitability of CVE-2021-23438?
Exploitation of this type confusion vulnerability is of moderate complexity, requiring specific knowledge of JavaScript type handling and how 'mpath' processes property paths. There are no explicit authentication or privilege requirements if the attacker can influence the input processed by 'mpath'. This can be a remote or local attack depending on how the application uses the 'mpath' package and accepts user input. The critical condition is that the application uses a vulnerable version of 'mpath' and allows user-controlled property names to be processed in a way that triggers the specific type confusion with ['__proto__']. Risk factors include applications that deserialize untrusted JSON or other structured data where property names can be controlled by an attacker.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23438?
About the Fix from Resolved Security
This patch adds type checks to ensure each path segment provided to the affected functions is a string or number, throwing a TypeError otherwise. This fixes CVE-2021-23438 by preventing prototype pollution or other unexpected behaviors that could occur if an attacker supplied specially crafted objects (such as arrays or object references) as path segments.
Available Upgrade Options
- mpath
- <0.8.4 → Upgrade to 0.8.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JS-MPATH-1577289
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579548
- https://github.com/mongoosejs/mpath/commit/89402d2880d4ea3518480a8c9847c541f2d824fc
- https://github.com/aheckmann/mpath/commit/89402d2880d4ea3518480a8c9847c541f2d824fc
- https://snyk.io/vuln/SNYK-JS-MPATH-1577289
- https://nvd.nist.gov/vuln/detail/CVE-2021-23438
- https://github.com/aheckmann/mpath/commit/89402d2880d4ea3518480a8c9847c541f2d824fc
- https://github.com/aheckmann/mpath
- https://osv.dev/vulnerability/GHSA-p92x-r36w-9395
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579548
What are Similar Vulnerabilities to CVE-2021-23438?
Similar Vulnerabilities: CVE-2023-26136 , CVE-2022-26149 , CVE-2022-24317 , CVE-2021-43818 , CVE-2020-28283
