Description
The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as __proto__, the attribute of the object is accessed instead of a path. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
References (4)
Core 4
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/12/msg00006.html
Patch, Third Party Advisory
https://github.com/ashaffer/cached-path-relative/commit/40c73bf70c58add5aec7d11e4f36b93d144bb760
Exploit, Issue Tracking, Patch, Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2348246
Exploit, Issue Tracking, Patch, Third Party Advisory
https://snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-2342653
Scores
CVSS v3
7.3
EPSS
0.0065
EPSS Percentile
70.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-1321
Status
published
Products (3)
cached-path-relative_project/cached-path-relative
< 1.1.0
debian/debian_linux
10.0
npm/cached-path-relative
0 - 1.1.0npm
Published
Jan 21, 2022
Tracked Since
Feb 18, 2026