Prototype Pollution

Affecting mpath package, versions <0.5.1

Overview

mpath is a Get/set javascript object values using MongoDB-like path notation.

Affected versions of this package are vulnerable to Prototype Pollution. An attacker could specify a path that include the prototype object, and thus overwrite important properties on Object.prototype or add new ones.

Remediation

Upgrade mpath to version 0.5.1 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

7.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Credit
Cristian-Alexandru Staicu
CVE
CVE-2018-16490
CWE
CWE-400
Snyk ID
SNYK-JS-MPATH-72672
Disclosed
11 Dec, 2018
Published
12 Dec, 2018