CVE-2021-41097

Name of the Vulnerable Software and Affected Versions aurelia-path versions prior to 1.1.7

Description The issue is related to a prototype pollution vulnerability in aurelia-path, which is part of the Aurelia platform and contains utilities for path manipulation. This vulnerability exposes Aurelia applications that use the aurelia-path package to parse a string, particularly those that employ the aurelia-router package. An example of exploitation could involve an attacker tricking an application into parsing a URL like https://aurelia.io/blog/? proto [asdf]=asdf, potentially allowing the attacker to change the prototype of the base object class Object.

Recommendations For versions prior to 1.1.7, update to version 1.1.7 to resolve the issue. As a temporary workaround, consider using Object.freeze(Object.prototype) to partially mitigate the vulnerability.