CVE-2018-16472
Description
A prototype pollution attack in cached-path-relative versions <=1.0.1 allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain causing a DoS attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A prototype pollution vulnerability in cached-path-relative <=1.0.1 allows DoS via injecting properties onto Object.prototype.
Vulnerability
The cached-path-relative npm package prior to version 1.0.2 is vulnerable to prototype pollution. An attacker can inject arbitrary properties into Object.prototype through the package's functions, affecting all JavaScript objects via the prototype chain. This issue affects versions <=1.0.1 [1][2].
Exploitation
Exploitation requires the attacker to pass a specially crafted object to a function in the package (e.g., via user input). By setting properties like __proto__ or constructor.prototype, the attacker pollutes the global prototype. No authentication or special privileges are required beyond the ability to supply arguments to the vulnerable functions [2][4].
Impact
Successful exploitation leads to a denial of service (DoS). Polluting Object.prototype can cause unexpected behavior, crashes, or infinite loops in applications that process objects, due to inherited properties. The impact is limited to application availability, with no evidence of remote code execution or data disclosure [1][3].
Mitigation
Upgrade cached-path-relative to version 1.0.2 or later, which contains the fix. No workarounds have been published. The package is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cached-path-relativenpm | < 1.0.2 | 1.0.2 |
Affected products
2- npm/cached-path-relativev5Range: <=1.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-hc9w-4p87-j549ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-16472ghsaADVISORY
- github.com/ashaffer/cached-path-relative/issues/3ghsaWEB
- github.com/nodejs/security-wg/blob/master/vuln/npm/480.jsonghsaWEB
- hackerone.com/reports/390847ghsaWEB
- lists.debian.org/debian-lts-announce/2022/12/msg00006.htmlghsamailing-listWEB
- www.npmjs.com/advisories/739ghsaWEB
News mentions
0No linked articles in our index yet.