I would like to report a prototype pollution attack in cached-path-relative.
It allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain.

Module

module name: cached-path-relativeversion:1.0.1npm page: https://www.npmjs.com/package/cached-path-relative

Module Description

Memoize the results of the path.relative function. path.relative can be an expensive operation if it happens a lot, and its results shouldn’t change for the same arguments.

Module Stats

352,446 downloads in the last week

Vulnerability

Vulnerability Description

If the attacker can control both the path and the cached value, she can deploy a prototype pollution attack and thus overwrite arbitrary properties on Object.prototype.

Steps To Reproduce:

var relative = require('cached-path-relative');
relative('__proto__', 'x');
console.log({}.x);

Patch

Initialize the cache using Object.create(null) or use the Map data structure.

Wrap up

• I contacted the maintainer to let them know: N
• I opened an issue in the related repository: N

Impact

I am not sure how clients of this module use the API, but if attacker can control both the values passed to cached-path-relative, the attacker can write arbitrary properties on Object.prototype.