Prototype Pollution
Description
The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as __proto__, the attribute of the object is accessed instead of a path. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The cached-path-relative package before 1.1.0 is vulnerable to Prototype Pollution via a plain object cache, allowing attackers to pollute Object.prototype with crafted paths.
Vulnerability
The cached-path-relative package prior to version 1.1.0 uses a plain JavaScript object ({}) to store cached relative path results. Since {} inherits from Object.prototype, the cache object is susceptible to Prototype Pollution. When the cachedPathRelative function is called with a path containing __proto__, the property is set on the cache object instead of being treated as a path, allowing pollution of the global prototype. This issue is a partial fix of a previous vulnerability (SNYK-JS-CACHEDPATHRELATIVE-72573) [1][2].
Exploitation
An attacker needs to supply a path string that includes __proto__ as a segment. When the cachedPathRelative function processes this path, it writes the relative path result to cache["__proto__"], which actually sets the property on Object.prototype. No authentication or special network position is required if the application passes user-controlled paths to the function.
Impact
Successful exploitation leads to Prototype Pollution. The attacker can inject arbitrary properties into Object.prototype, which are then inherited by all JavaScript objects in the application. This can result in denial of service, altered application behavior, or potentially remote code execution depending on how the polluted properties are used downstream.
Mitigation
The vulnerability is fixed in version 1.1.0 of cached-path-relative [4]. Users should upgrade to at least 1.1.0. There are no known workarounds for affected versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cached-path-relativenpm | < 1.1.0 | 1.1.0 |
Affected products
3- cached-path-relative/cached-path-relativedescription
- Range: <1.1.0
Patches
140c73bf70c58Fix other instances of prototype pollution vulnerability
1 file changed · +2 −2
lib/index.js+2 −2 modified@@ -27,15 +27,15 @@ function cachedPathRelative (from, to) { // to invalidate the cache var cwd = process.cwd() if (cwd !== lastCwd) { - cache = {} + cache = Object.create(null) lastCwd = cwd } if (cache[from] && cache[from][to]) return cache[from][to] var result = relative.call(path, from, to) - cache[from] = cache[from] || {} + cache[from] = cache[from] || Object.create(null) cache[from][to] = result return result
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-wg6g-ppvx-927hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23518ghsaADVISORY
- github.com/ashaffer/cached-path-relative/commit/40c73bf70c58add5aec7d11e4f36b93d144bb760ghsaWEB
- lists.debian.org/debian-lts-announce/2022/12/msg00006.htmlghsamailing-listWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2348246ghsaWEB
- snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-2342653ghsaWEB
News mentions
0No linked articles in our index yet.