In mpath
before 0.8.4 a type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1
returns -1 if parts[i]
is [‘proto’]. This is because the method that has been called if the input is an array is Array.prototype.indexOf()
and not String.prototype.indexOf()
. They behave differently depending on the type of the input.
Upgrade to version 0.8.4 or later