CVE-2021-41097

Description

### Impact The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could allow an attacker to change the prototype of base object class `Object` by tricking an application to parse the following URL: `https://aurelia.io/blog/?__proto__[asdf]=asdf` ### Patches The problem should be patched in version `1.1.7`. Any version earlier than this is vulnerable. ### Workarounds A partial work around is to free the Object prototype: ```ts Object.freeze(Object.prototype) ```

How to fix CVE-2021-41097

To remediate CVE-2021-41097, upgrade the affected package to a fixed version below.

• —upgrade to 1.1.7 or later

Is CVE-2021-41097 being exploited?

Moderate — EPSS is 11.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• from 0, < 1.1.7

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-41097
• PATCHgithub.com/aurelia/path
• WEBgithub.com/aurelia/path/commit/7c4e235433a4a2df9acc313fbe891758084fdec1
• WEBgithub.com/aurelia/path/issues/44
• WEB