CVE-2021-41097
CRITICAL9.1EPSS 11.7%Prototype pollution in aurelia-path
Published: 9/27/2021Modified: 3/13/2026
Also known as:GHSA-3c9c-2p65-qvwv
Description
### Impact The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could allow an attacker to change the prototype of base object class `Object` by tricking an application to parse the following URL: `https://aurelia.io/blog/?__proto__[asdf]=asdf` ### Patches The problem should be patched in version `1.1.7`. Any version earlier than this is vulnerable. ### Workarounds A partial work around is to free the Object prototype: ```ts Object.freeze(Object.prototype) ```
Affected packages (1)
- npm/aurelia-pathfrom 0, < 1.1.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-41097
- PATCHhttps://github.com/aurelia/path
- WEBhttps://github.com/aurelia/path/commit/7c4e235433a4a2df9acc313fbe891758084fdec1
- WEBhttps://github.com/aurelia/path/issues/44
- WEBhttps://github.com/aurelia/path/releases/tag/1.1.7
- WEBhttps://github.com/aurelia/path/security/advisories/GHSA-3c9c-2p65-qvwv
- WEBhttps://www.npmjs.com/package/aurelia-path