Prototype Pollution

Affecting cached-path-relative package, versions <1.0.2

Overview

cached-path-relative memoize the results of the path.relative function.

Affected versions of this package are vulnerable to Prototype Pollution. An attacker could inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain.

Remediation

Upgrade cached-path-relative to version 1.0.2 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Credit
Cristian-Alexandru Staicu
CVE
CVE-2018-16472
CWE
CWE-400
Snyk ID
SNYK-JS-CACHEDPATHRELATIVE-72573
Disclosed
06 Aug, 2018
Published
08 Nov, 2018