Prototype Pollution Vulnerability Affected Package and Version Package: mpath Versions: <0.8.4 Vulnerability Details CVE: CVE-2021-23438 CWE: CWE-1321 Introduced: 1 Sep 2021 Severity: 5.6 (Medium) Fix Upgrade: mpath to version 0.8.4 or higher. Overview Description: Affected versions of the mpath package are vulnerable to Prototype Pollution, a type confusion vulnerability. PoC: Demonstrates vulnerability exploitation using pollution. Details: Explains Prototype Pollution and its occurrence methods, such as unsafe object recursive merge and property definition by path. Types of Attacks Denial of Service (DoS): Attackers can cause service disruption by altering prototype chains. Remote Code Execution: Possible under specific conditions through codebase attribute evaluation. Property Injection: Manipulation of properties for privilege escalation or security property alteration. Affected Environments Application server Web server Web browser Prevention 1. Freeze the prototype using . 2. Require schema validation for JSON input. 3. Avoid unsafe recursive merge functions. 4. Consider using objects without prototypes. 5. Use instead of . References GitHub Commit Snyk Blog CVSS Base Scores Snyk: 5.6 (Medium) NVD: 9.8 (Critical) Red Hat: 5.6 (Medium)