2 matches found
CVE-2018-16490
CVE-2018-16490 affects the mpath npm package prior to version 0.8.4, where a prototype pollution flaw can lead to arbitrary properties being injected onto Object.prototype. The root cause is a type handling mismatch in ignoreProperties.indexOf(parts[i]); when parts[i] is proto , the code path use...
CVE-2021-23438
CVE-2021-23438 affects the Node.js mpath module prior to 0.8.4. The vulnerability is a type confusion that can bypass CVE-2018-16490 by mishandling array input (using Array.prototype.indexOf instead of String.prototype.indexOf) when processing the path elements, enabling a prototype/polution-styl...