CVE-2021-23408
MEDIUMgraphhopper < 3.2 - Prototype Pollution via URL Parser
Title source: llmDescription
This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or __proto__ payload.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-COMGRAPHHOPPER-1320114
Patch, Third Party Advisory x_refsource_misc
https://github.com/graphhopper/graphhopper/pull/2370
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/graphhopper/graphhopper/releases/tag/3.2
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/graphhopper/graphhopper/releases/tag/3.1
Scores
CVSS v3
5.4
EPSS
0.0140
EPSS Percentile
68.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Details
CWE
CWE-1321
Status
published
Products (3)
com.graphhopper/graphhopper-web-bundle
0 - 3.2Maven
graphhopper/graphhopper
4.0 pre1 (2 CPE variants)
graphhopper/graphhopper
< 3.2
Published
Jul 21, 2021
Tracked Since
Feb 18, 2026