CVE-2021-23438
MEDIUMmpath < 0.8.4 - Type Confusion via Array IndexOf Bypass
Title source: llmDescription
This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['__proto__']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-MPATH-1577289
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579548
Patch, Third Party Advisory x_refsource_misc
https://github.com/aheckmann/mpath/commit/89402d2880d4ea3518480a8c9847c541f2d824fc
Scores
CVSS v3
5.6
EPSS
0.0167
EPSS Percentile
73.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-843
Status
published
Products (2)
mpath_project/mpath
< 0.8.4
npm/mpath
0 - 0.8.4npm
Published
Sep 01, 2021
Tracked Since
Feb 18, 2026