CVE-2021-41097

moderate-risk
Published 2021-09-27

aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could allow an attacker to change the prototype of base object class `Object` by tricking an application to parse the following URL: `https://aurelia.io/blog/?__proto__[asdf]=asdf`. The problem is patched in version `1.1.7`.

Do I need to act?

!
11.7% chance of exploitation in next 30 days
EPSS score — higher than 88% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Bluespire

References (10)

Patch https://github.com/aurelia/path/commit/7c4e235433a4a2df9acc313fbe891758084fdec1
Exploit https://github.com/aurelia/path/issues/44
Release Notes https://github.com/aurelia/path/releases/tag/1.1.7
Mitigation https://github.com/aurelia/path/security/advisories/GHSA-3c9c-2p65-qvwv
Product https://www.npmjs.com/package/aurelia-path
Patch https://github.com/aurelia/path/commit/7c4e235433a4a2df9acc313fbe891758084fdec1
Exploit https://github.com/aurelia/path/issues/44
Release Notes https://github.com/aurelia/path/releases/tag/1.1.7
Mitigation https://github.com/aurelia/path/security/advisories/GHSA-3c9c-2p65-qvwv
Product https://www.npmjs.com/package/aurelia-path
47
/ 100
moderate-risk
Severity 31/34 · Critical
Exploitability 11/34 · Low
Exposure 5/34 · Minimal