Prototype pollution in aurelia-path

Description

Impact

The vulnerability exposes Aurelia application that uses aurelia-path package to parse a string. The majority of this will be Aurelia applications that employ the aurelia-router package. An example is this could allow an attacker to change the prototype of base object class Object by tricking an application to parse the following URL: https://aurelia.io/blog/?__proto__[asdf]=asdf

Patches

The problem should be patched in version 1.1.7. Any version earlier than this is vulnerable.

Workarounds

A partial work around is to free the Object prototype:

Object.freeze(Object.prototype)

Basic information

Type
reviewed
Severity
critical
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2021-09-27 20:12:16 UTC
Updated
2023-02-01 05:06:10 UTC
GitHub reviewed
2021-09-27 19:18:37 UTC
NVD published
2021-09-27

EPSS Score

Score Percentile
11.71% 93.63%

CVSS Scores

Base score Version Severity Vector
9.1 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Credits

  • msrkp (analyst)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm aurelia-path < 1.1.7 1.1.7

References

cvelogic Threat Intelligence