CVE-2021-41097

aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could allow an attacker to change the prototype of base object class `Object` by tricking an application to parse the following URL: `https://aurelia.io/blog/?__proto__[asdf]=asdf`. The problem is patched in version `1.1.7`.

aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could allow an attacker to change the prototype of base object class `Object` by tricking an application to parse the following URL: `https://aurelia.io/blog/?__proto__[asdf]=asdf`. The problem is patched in version `1.1.7`.

### Impact The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could allow an attacker to change the prototype of base object class `Object` by tricking an application to parse the following URL: `https://aurelia.io/blog/?__proto__[asdf]=asdf` ### Patches The problem should be patched in version `1.1.7`. Any version earlier than this is vulnerable. ### Workarounds A partial work around is to free the Object prototype: ```ts Object.freeze(Object.prototype) ```

### Impact The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could allow an attacker to change the prototype of base object class `Object` by tricking an application to parse the following URL: `https://aurelia.io/blog/?__proto__[asdf]=asdf` ### Patches The problem should be patched in version `1.1.7`. Any version earlier than this is vulnerable. ### Workarounds A partial work around is to free the Object prototype: ```ts Object.freeze(Object.prototype) ```

aurelia-path es parte de la plataforma Aurelia y contiene utilidades para la manipulación de rutas. Se presenta una vulnerabilidad de contaminación del prototipo en aurelia-path versiones anteriores a 1.1.7. La vulnerabilidad expone a la aplicación Aurelia que usa el paquete "aurelia-path" para analizar una cadena. La mayoría serán aplicaciones de Aurelia que emplean el paquete "aurelia-router". Un ejemplo es que esto podría permitir a un atacante cambiar el prototipo de la clase de objeto base "Object" al engañar a una aplicación para que analice la siguiente URL: "https://aurelia.io/blog/?__proto__[asdf]=asdf". El problema está parcheado en la versión "1.1.7"