CVE-2021-23518

Name of the Vulnerable Software and Affected Versions cached-path-relative versions prior to 1.1.0

Description The issue allows for Prototype Pollution via the cache variable set as {} instead of Object.create(null) in the cachedPathRelative function. This enables access to parent prototype properties when the object is used to create the cached relative path. Specifically, when the origin path is set as proto, the attribute of the object is accessed instead of a path.

Recommendations For versions prior to 1.1.0, update to version 1.1.0 or later to resolve the issue. As a temporary workaround, consider modifying the cachedPathRelative function to use Object.create(null) instead of {} for the cache variable to prevent Prototype Pollution.