GHSA-3c9c-2p65-qvwv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3c9c-2p65-qvwv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-3c9c-2p65-qvwv/GHSA-3c9c-2p65-qvwv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3c9c-2p65-qvwv
- Aliases
- Related
- Published
- 2021-09-27T20:12:16Z
- Modified
- 2026-03-13T22:14:38.535321Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Prototype pollution in aurelia-path
- Details
-
Impact
The vulnerability exposes Aurelia application that uses
aurelia-pathpackage to parse a string. The majority of this will be Aurelia applications that employ theaurelia-routerpackage. An example is this could allow an attacker to change the prototype of base object classObjectby tricking an application to parse the following URL:https://aurelia.io/blog/?__proto__[asdf]=asdfPatches
The problem should be patched in version
1.1.7. Any version earlier than this is vulnerable.Workarounds
A partial work around is to free the Object prototype:
Object.freeze(Object.prototype) - Database specific
{ "severity": "CRITICAL", "nvd_published_at": "2021-09-27T18:15:00Z", "cwe_ids": [ "CWE-1321", "CWE-915" ], "github_reviewed_at": "2021-09-27T19:18:37Z", "github_reviewed": true }- References
-
- https://github.com/aurelia/path/security/advisories/GHSA-3c9c-2p65-qvwv
- https://nvd.nist.gov/vuln/detail/CVE-2021-41097
- https://github.com/aurelia/path/issues/44
- https://github.com/aurelia/path/commit/7c4e235433a4a2df9acc313fbe891758084fdec1
- https://github.com/aurelia/path
- https://github.com/aurelia/path/releases/tag/1.1.7
- https://www.npmjs.com/package/aurelia-path
Affected packages
npm / aurelia-path
Package
- Name
- aurelia-path
- View open source insights on deps.dev
- Purl
- pkg:npm/aurelia-path