mpath@0.4.0 vulnerabilities

{G,S}et object values using MongoDB-like path notation

  • latest version

    0.9.0

  • latest non vulnerable version

  • first published

    12 years ago

  • latest version published

    2 years ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the mpath package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Prototype Pollution

    mpath is a package that gets/sets javascript object values using MongoDB-like path notation.

    Affected versions of this package are vulnerable to Prototype Pollution. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['__proto__']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.

    PoC

    const mpath = require('mpath');
    // mpath.set(['__proto__', 'polluted'], 'yes', {});
    // console.log(polluted); // ReferenceError: polluted is not defined
    
    mpath.set([['__proto__'], 'polluted'], 'yes', {});
    console.log(polluted); // yes
    

    How to fix Prototype Pollution?

    Upgrade mpath to version 0.8.4 or higher.

    <0.8.4
    • H
    Prototype Pollution

    mpath is a package that gets/sets javascript object values using MongoDB-like path notation.

    Affected versions of this package are vulnerable to Prototype Pollution. An attacker could specify a path that include the prototype object, and thus overwrite important properties on Object.prototype or add new ones.

    How to fix Prototype Pollution?

    Upgrade mpath to version 0.5.1 or higher.

    >=0.3.0 <0.5.1