Miggo Logo

CVE-2021-41097: Prototype pollution in aurelia-path

9.1

CVSS Score
3.1

Basic Information

EPSS Score
0.55919%
Published
9/27/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
aurelia-pathnpm< 1.1.71.1.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the parseComplexParam function's handling of keys during query string parsing. The pre-patch code allowed 'proto' as a key (via keys[j] input), which would create/overwrite properties on Object.prototype. The patch explicitly adds a check for 'proto' and throws an error, confirming this was the attack vector. The function's role in recursively building nested objects from URL parameters makes it the primary entry point for prototype pollution in this context.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** vuln*r**ility *xpos*s *ur*li* *ppli**tion t**t us*s `*ur*li*-p*t*` p**k*** to p*rs* * strin*. T** m*jority o* t*is will ** *ur*li* *ppli**tions t**t *mploy t** `*ur*li*-rout*r` p**k***. *n *x*mpl* is t*is *oul* *llow *n *tt**k*r to ***

Reasoning

T** vuln*r**ility st*ms *rom t** p*rs**ompl*xP*r*m *un*tion's **n*lin* o* k*ys *urin* qu*ry strin* p*rsin*. T** pr*-p*t** *o** *llow** '__proto__' *s * k*y (vi* k*ys[j] input), w*i** woul* *r**t*/ov*rwrit* prop*rti*s on O*j**t.prototyp*. T** p*t** *x