CVE-2021-23438

Access of Resource Using Incompatible Type (Type Confusion) in npm/mpath

Identifiers

CVE-2021-23438

Package Slug

npm/mpath

Vulnerability

Access of Resource Using Incompatible Type (Type Confusion)

Description

This affects the package mpath A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['__proto__']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.

Affected Versions

All versions before 0.8.4

Solution

Upgrade to version 0.8.4 or above.

Last Modified

2021-09-13

source