CVE-2021-23438: Access of Resource Using Incompatible Type (Type Confusion)

September 1, 2021 (updated September 10, 2021)

This affects the package mpath A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['__proto__']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.

References

nvd.nist.gov/vuln/detail/CVE-2021-23438

Code Behaviors & Features

Detect and mitigate CVE-2021-23438 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →