CVE-2021-23434 — node-object-path - security update

Description

This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.

How to fix CVE-2021-23434

To remediate CVE-2021-23434, upgrade the affected package to a fixed version below.

—upgrade to 0.11.5-3+deb11u1 or later
—upgrade to 0.11.4-2+deb10u2 or later
—upgrade to 0.11.6 or later

Is CVE-2021-23434 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 0.11.5-3+deb11u1
from 0, < 0.11.4-2+deb10u2
from 0, < 0.11.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23434
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-23434
PATCHgithub.com/mariocasciaro/object-path
WEBgithub.com/mariocasciaro/object-path#0116
WEB