CVE-2021-23518: Prototype Pollution vulnerability in cached-path-relative (npm)

What is CVE-2021-23518 About?

This is a Prototype Pollution vulnerability in the 'cached-path-relative' package versions before 1.1.0. It allows an attacker to inject properties into `Object.prototype` by manipulating the cache variable initialization within `cachedPathRelative` from an empty object instead of a null-prototype object. This enables access to parent prototype properties. Exploitation is moderately complex, requiring crafted inputs to achieve property injection.

Affected Software

cached-path-relative <1.1.0

Technical Details

The 'cached-path-relative' package before version 1.1.0 is vulnerable to Prototype Pollution. This issue arises because the cache variable within the cachedPathRelative function is initialized as {} (a plain JavaScript object) instead of Object.create(null) (an object with no prototype). This allows an attacker, by supplying a crafted __proto__ property in the input, to access and modify properties on the Object.prototype. When the origin path is set to __proto__, the vulnerability allows for the manipulation or injection of new attributes into the root Object.prototype, which is then inherited by all objects in the application. This can lead to denial-of-service, unintended property manipulation, or potentially remote code execution depending on the application context. This vulnerability is a bypass of a previous fix.

What is the Impact of CVE-2021-23518?

Successful exploitation may allow attackers to inject or modify properties of `Object.prototype`, potentially leading to denial-of-service, unexpected application behavior, or in some scenarios, arbitrary code execution.

What is the Exploitability of CVE-2021-23518?

Exploiting this prototype pollution vulnerability requires the attacker to supply a specially crafted input, specifically by using __proto__ as part of the path, that is processed by the cachedPathRelative function. This would allow manipulating the cache object to inject properties into the Object.prototype. Authentication requirements depend on whether unauthenticated input can reach the vulnerable function. No specific privilege levels are needed beyond being able to provide the malicious input. This is typically a remote vulnerability if the application accepts and processes user-supplied paths. The complexity lies in crafting the input precisely to trigger the prototype pollution and understanding how the application utilizes the 'cached-path-relative' package. The fact that it's a bypass of a previous fix suggests that previous attempts at mitigation were incomplete, indicating a non-trivial exploitation path that bypasses known defenses.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2021-23518?

A Fix by Resolved Security Exists!

Learn how our approach backports security patches directly to your dependencies.

About the Fix from Resolved Security

The patch replaces use of plain objects for caching with objects created via Object.create(null), removing the default object prototype. This prevents an attacker from exploiting prototype pollution, which is the root cause of CVE-2021-23518, by ensuring that only actual cache keys are present and inherited properties like proto cannot be overwritten.

Available Upgrade Options

cached-path-relative
- <1.1.0 → Upgrade to 1.1.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2021-23518?

Similar Vulnerabilities: CVE-2023-45136 , CVE-2023-39296 , CVE-2022-25912 , CVE-2022-25860 , CVE-2020-8237

CVE-2021-23518 Prototype Pollution vulnerability in cached-path-relative (npm)