CVE-2018-16490

Vulnerability

A prototype pollution vulnerability exists in the npm package mpath versions prior to 0.5.1 [1]. The mpath module is a library for getting/setting nested object properties using a string path. The vulnerability allows an attacker to inject arbitrary properties onto Object.prototype [1][2].

Exploitation

An attacker can exploit this vulnerability by providing a malicious string path that includes __proto__ or constructor.prototype to the set function of the mpath module. This can be done through any input that is passed to the set function, such as user-controlled data in a web application. No authentication is required if the vulnerable function is exposed to untrusted input [1][2].

Impact

Successful exploitation enables an attacker to pollute Object.prototype with arbitrary properties. This can lead to unexpected behavior in the application, potentially including denial of service (DoS), property injection that affects all objects in the runtime, and possibly remote code execution (RCE) depending on how the application uses the polluted properties [2].

Mitigation

Update mpath to version 0.5.1 or later, which was released to address this vulnerability [1][2]. Users should apply the patch immediately. No known workarounds exist besides upgrading. The vulnerability is listed on the GitHub Advisory Database [2] and was reported via HackerOne [1].