The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2021-23438

CVE-2021-23438: Mpath Authentication Bypass Vulnerability

CVE-2021-23438 is an authentication bypass flaw in Mpath before version 0.8.4 caused by type confusion that bypasses CVE-2018-16490 protections. This article covers the technical details, affected versions, and mitigation.

Published: February 25, 2026

CVE-2021-23438 Overview

A type confusion vulnerability exists in the mpath Node.js package before version 0.8.4 that enables attackers to bypass the prototype pollution fix implemented for CVE-2018-16490. The vulnerability arises from inconsistent handling of array inputs in the ignoreProperties.indexOf() method, where passing ['__proto__'] as an array element causes Array.prototype.indexOf() to be invoked instead of String.prototype.indexOf(), resulting in improper input validation and enabling prototype pollution attacks.

Critical Impact

This vulnerability allows remote attackers to bypass existing security protections and perform prototype pollution attacks, potentially leading to arbitrary code execution, denial of service, or property injection in Node.js applications using the affected mpath package.

Affected Products

  • mpath_project mpath (versions before 0.8.4)
  • Node.js applications using vulnerable mpath versions
  • WebJars npm packages containing mpath

Discovery Timeline

  • 2021-09-01 - CVE CVE-2021-23438 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-23438

Vulnerability Analysis

This vulnerability represents a type confusion issue (CWE-843) that allows attackers to circumvent security controls designed to prevent prototype pollution. The flaw exists in how the mpath package handles path segment validation when determining whether to ignore certain property names like __proto__.

The core issue lies in the condition ignoreProperties.indexOf(parts[i]) !== -1, which behaves differently depending on the data type passed. When an attacker supplies ['__proto__'] (an array containing the string __proto__) instead of simply '__proto__' (a string), the JavaScript engine calls Array.prototype.indexOf() instead of String.prototype.indexOf(). Since these methods have different comparison semantics, the security check incorrectly returns -1 (not found), allowing the malicious property to bypass validation.

This bypass enables prototype pollution attacks where an attacker can inject properties into JavaScript's Object.prototype, affecting all objects in the application and potentially leading to remote code execution or denial of service conditions.

Root Cause

The root cause is improper type checking in the path parsing logic. The code assumes that path segments (parts[i]) will always be strings, but does not enforce this constraint. When an array is passed as a path segment, the different behavior of indexOf() on arrays versus strings creates a condition where security-sensitive property names can evade detection. The fix addresses this by explicitly validating that each path segment is either a string or number type before processing.

Attack Vector

An attacker can exploit this vulnerability remotely without authentication by supplying crafted input to any application endpoint that passes user-controlled data through mpath's path traversal functions. By constructing a path array containing ['__proto__'] as an element instead of the string '__proto__', the attacker can pollute the Object prototype, potentially:

  1. Injecting malicious properties that affect application behavior
  2. Overwriting existing properties to cause denial of service
  3. Achieving remote code execution if the polluted properties are used in dangerous contexts

The following patch was applied to fix the vulnerability by enforcing strict type checking on path segments:

javascript
 
   for (var i = 0; i < parts.length; ++i) {
     part = parts[i];
+    if (typeof parts[i] !== 'string' && typeof parts[i] !== 'number') {
+      throw new TypeError('Each segment of path to `get()` must be a string or number, got ' + typeof parts[i]);
+    }
 
     if (Array.isArray(obj) && !/^\d+$/.test(part)) {
       // reading a property from the array items

Source: GitHub Commit Update

Detection Methods for CVE-2021-23438

Indicators of Compromise

  • Unexpected modifications to Object.prototype properties in running Node.js applications
  • Application logs showing unusual array-type inputs in path parameters
  • Runtime errors or unexpected behavior caused by polluted prototype properties
  • Anomalous object property access patterns in application monitoring

Detection Strategies

  • Implement dependency scanning tools (such as npm audit or Snyk) to identify vulnerable mpath versions in your project dependencies
  • Monitor application runtime for prototype pollution indicators using security-focused JavaScript monitoring tools
  • Review application logs for unusual input patterns, particularly array inputs where strings are expected
  • Deploy static analysis tools configured to detect type confusion patterns in Node.js code

Monitoring Recommendations

  • Enable verbose logging for user input handling in Node.js applications using mpath
  • Configure dependency vulnerability scanning in CI/CD pipelines to catch vulnerable package versions
  • Implement runtime prototype integrity checks in production environments
  • Set up alerts for any npm security advisories affecting mpath or related packages

How to Mitigate CVE-2021-23438

Immediate Actions Required

  • Upgrade mpath to version 0.8.4 or later immediately using npm update mpath
  • Run npm audit to verify the vulnerability has been addressed in your dependencies
  • Review applications for any direct usage of mpath with user-controlled input
  • Consider implementing input validation at the application layer as defense-in-depth

Patch Information

The vulnerability has been fixed in mpath version 0.8.4. The patch adds explicit type checking to ensure that each path segment passed to get() is either a string or number, throwing a TypeError if other types are detected. This prevents the type confusion attack vector by rejecting array inputs before they can bypass the ignoreProperties check.

Apply the fix by updating your package.json and running:

bash
npm install mpath@0.8.4

For additional details, see the GitHub Commit Update containing the security fix.

Workarounds

  • Implement input validation at the application layer to ensure path arguments are strings before passing to mpath functions
  • Use Object.freeze() on Object.prototype as a temporary mitigation against prototype pollution (may cause compatibility issues)
  • Consider using alternative path traversal libraries that include built-in type checking
  • If upgrading is not immediately possible, patch the vulnerability manually by adding type checks before mpath function calls
bash
# Configuration example - Update mpath to patched version
npm install mpath@^0.8.4 --save
npm audit fix
# Verify the update
npm list mpath

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechMpath
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability0.52%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-843
  • Technical References
  • Snyk Java Vulnerability SNYK-JAVA-ORGWEBJARSNPM-1579548
  • Snyk JS Vulnerability SNYK-JS-MPATH-1577289
  • Vendor Resources
  • GitHub Commit Update
  • Latest CVEs
  • CVE-2026-40322: SiYuan Knowledge Management RCE Vulnerability
  • CVE-2026-40318: SiYuan Path Traversal Vulnerability
  • CVE-2026-40259: SiYuan Auth Bypass Vulnerability
  • CVE-2026-40255: AdonisJS HTTP Server CSRF Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English