CVE-2021-23518 Overview
CVE-2021-23518 is a Prototype Pollution vulnerability affecting the cached-path-relative npm package before version 1.1.0. The vulnerability exists in the cachedPathRelative function where the cache variable is initialized using {} instead of Object.create(null). This insecure initialization allows attackers to access parent prototype properties when the object is used to create cached relative paths. When using the origin path as __proto__, the attribute of the object is accessed instead of a path, enabling prototype pollution attacks.
This vulnerability is notable as it derives from an incomplete fix for a previous security issue (SNYK-JS-CACHEDPATHRELATIVE-72573).
Critical Impact
Successful exploitation allows attackers to inject malicious properties into JavaScript object prototypes, potentially leading to remote code execution, denial of service, or property injection attacks across the entire application.
Affected Products
- cached-path-relative (versions before 1.1.0)
- Debian Linux 10.0
- WebJars npm packages using cached-path-relative
Discovery Timeline
- 2022-01-21 - CVE-2021-23518 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-23518
Vulnerability Analysis
The cached-path-relative package provides a caching mechanism for computing relative paths in Node.js applications. The vulnerability stems from improper object initialization patterns that leave the cache objects susceptible to prototype pollution.
In JavaScript, when an object is created using the literal notation {}, it inherits from Object.prototype. This inheritance chain becomes dangerous when user-controlled input can be used as object keys, particularly reserved keys like __proto__, constructor, or prototype. An attacker can leverage this behavior to modify the base prototype of all objects in the application.
The impact of prototype pollution in this context is significant. Since the cache is used to store and retrieve path mappings, an attacker who can control path inputs could inject malicious properties that propagate throughout the application. This can lead to authentication bypasses, remote code execution through gadget chains, or application crashes.
Root Cause
The root cause is the use of standard JavaScript object literals ({}) for cache storage instead of null-prototype objects (Object.create(null)). When the cache object inherits from Object.prototype, special property names like __proto__ can be used to pollute the prototype chain rather than being treated as regular string keys.
The vulnerability exists in two locations within the code: the initial cache creation when the working directory changes, and the creation of nested cache objects for storing path relationships.
Attack Vector
The attack vector is network-based, allowing remote exploitation without authentication or user interaction. An attacker can exploit this vulnerability by providing malicious path inputs that include prototype pollution payloads. When the cachedPathRelative function processes a path value containing __proto__, the function inadvertently accesses or modifies the object prototype instead of treating it as a standard path string.
// to invalidate the cache
var cwd = process.cwd()
if (cwd !== lastCwd) {
- cache = {}
+ cache = Object.create(null)
lastCwd = cwd
}
if (cache[from] && cache[from][to]) return cache[from][to]
var result = relative.call(path, from, to)
- cache[from] = cache[from] || {}
+ cache[from] = cache[from] || Object.create(null)
cache[from][to] = result
return result
Source: GitHub Commit Change
The fix replaces both instances of {} with Object.create(null), creating objects without prototype inheritance that safely handle all string keys including __proto__.
Detection Methods for CVE-2021-23518
Indicators of Compromise
- Unexpected property additions to JavaScript object prototypes in application logs
- Application errors or crashes related to unexpected object property access
- Anomalous path-related inputs containing __proto__, constructor, or prototype strings in request logs
Detection Strategies
- Implement software composition analysis (SCA) tools to identify vulnerable versions of cached-path-relative in your dependency tree
- Monitor application logs for path inputs containing prototype pollution patterns such as __proto__ or constructor.prototype
- Deploy runtime application self-protection (RASP) solutions that can detect and block prototype pollution attempts
Monitoring Recommendations
- Audit npm dependency lock files (package-lock.json) for cached-path-relative versions below 1.1.0
- Implement input validation logging to capture suspicious path values being processed by the application
- Configure security monitoring to alert on JavaScript runtime errors that may indicate prototype pollution exploitation attempts
How to Mitigate CVE-2021-23518
Immediate Actions Required
- Upgrade cached-path-relative to version 1.1.0 or later immediately
- Run npm audit or yarn audit to identify vulnerable dependencies in your projects
- Review transitive dependencies that may include vulnerable versions of this package
- For Debian Linux 10.0 users, apply the security updates referenced in the Debian LTS Security Announcement
Patch Information
The vulnerability is fixed in version 1.1.0 of the cached-path-relative package. The security patch (commit 40c73bf70c58add5aec7d11e4f36b93d144bb760) replaces vulnerable object initializations with Object.create(null) to create prototype-less objects that safely handle all key values.
For detailed technical information about the fix, refer to:
Workarounds
- If immediate patching is not possible, implement input validation to reject path inputs containing prototype pollution payloads (__proto__, constructor, prototype)
- Consider freezing Object.prototype at application startup using Object.freeze(Object.prototype) to prevent prototype modification
- Use security middleware or WAF rules to filter requests containing prototype pollution patterns before they reach the application
# Upgrade cached-path-relative to patched version
npm update cached-path-relative@^1.1.0
# Verify the installed version
npm list cached-path-relative
# Run security audit to check for remaining vulnerabilities
npm audit fix
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
