Login Sign Up

CVE-2021-41097

9.1 CRITICAL

📋 TL;DR

CVE-2021-41097 is a prototype pollution vulnerability in aurelia-path versions before 1.1.7 that allows attackers to modify the Object prototype through specially crafted input. This affects Aurelia applications using aurelia-path for path parsing, particularly those employing aurelia-router. Successful exploitation could lead to denial of service, remote code execution, or other security impacts depending on the application.

💻 Affected Systems

Products:
  • aurelia-path
Versions: All versions before 1.1.7
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Primarily affects Aurelia applications using aurelia-path for URL/path parsing, especially those with aurelia-router

📦 What is this software?

Aurelia Path by Bluespire

View all CVEs affecting Aurelia Path →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or service disruption

🟠

Likely Case

Denial of service, application instability, or limited privilege escalation within the application context

🟢

If Mitigated

No impact if patched or proper input validation prevents malicious payloads

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Example exploit URL provided in advisory: https://aurelia.io/blog/?__proto__[asdf]=asdf

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.7

Vendor Advisory: https://github.com/aurelia/path/security/advisories/GHSA-3c9c-2p65-qvwv

Restart Required: Yes

Instructions:

1. Update package.json to specify 'aurelia-path': '^1.1.7' 2. Run 'npm update aurelia-path' or 'yarn upgrade aurelia-path' 3. Restart the application

🔧 Temporary Workarounds

Input validation/sanitization

all

Implement strict input validation to reject URLs containing __proto__ or similar prototype pollution patterns

🧯 If You Can't Patch

  • Implement WAF rules to block requests containing __proto__ patterns
  • Isolate affected applications behind reverse proxies with request filtering

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/aurelia-path/package.json for version <1.1.7

Check Version:

npm list aurelia-path | grep aurelia-path

Verify Fix Applied:

Confirm version 1.1.7 or higher is installed in package.json and node_modules

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing __proto__ patterns in query parameters or URLs
  • Application errors related to prototype modification

Network Indicators:

  • HTTP requests with __proto__ in query strings
  • Unusual patterns in URL parsing

SIEM Query:

http.uri_query contains "__proto__"

📊 Metadata

CVE ID: CVE-2021-41097
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-1321
Published: September 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41097, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)