aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could allow an attacker to change the prototype of base object class `Object` by tricking an application to parse the following URL: `https://aurelia.io/blog/?__proto__[asdf]=asdf`. The problem is patched in version `1.1.7`.
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
| Link | Tags |
|---|---|
| https://github.com/aurelia/path/security/advisories/GHSA-3c9c-2p65-qvwv | mitigation third party advisory |
| https://github.com/aurelia/path/issues/44 | third party advisory issue tracking exploit |
| https://github.com/aurelia/path/commit/7c4e235433a4a2df9acc313fbe891758084fdec1 | third party advisory patch |
| https://github.com/aurelia/path/releases/tag/1.1.7 | third party advisory release notes |
| https://www.npmjs.com/package/aurelia-path | product third party advisory |