CVE-2021-23434

Name of the Vulnerable Software and Affected Versions object-path versions prior to 0.11.6

Description A type confusion issue exists in the object-path package. This issue can lead to a bypass when the path components used in the path parameter are arrays. Specifically, the condition currentPath === ' proto ' returns false if currentPath is [' proto '], due to the === operator returning false when the type of the operands is different. The vulnerability can be exploited by a remote attacker to access confidential data, compromise data integrity, and cause a denial of service.

Recommendations For object-path versions prior to 0.11.6, update to version 0.11.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of array path components in the path parameter to minimize the risk of exploitation.