{"id":"CVE-2021-41097","details":"aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could allow an attacker to change the prototype of base object class `Object` by tricking an application to parse the following URL: `https://aurelia.io/blog/?__proto__[asdf]=asdf`. The problem is patched in version `1.1.7`.","aliases":["GHSA-3c9c-2p65-qvwv"],"modified":"2026-03-15T14:44:48.834677Z","published":"2021-09-27T18:15:08.443Z","related":["GHSA-3c9c-2p65-qvwv"],"references":[{"type":"ADVISORY","url":"https://github.com/aurelia/path/releases/tag/1.1.7"},{"type":"ADVISORY","url":"https://github.com/aurelia/path/security/advisories/GHSA-3c9c-2p65-qvwv"},{"type":"ADVISORY","url":"https://www.npmjs.com/package/aurelia-path"},{"type":"REPORT","url":"https://github.com/aurelia/path/issues/44"},{"type":"FIX","url":"https://github.com/aurelia/path/commit/7c4e235433a4a2df9acc313fbe891758084fdec1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/aurelia/path","events":[{"introduced":"0"},{"fixed":"3c674eff2ba3856f0f132503fec78597666b2b7e"},{"fixed":"7c4e235433a4a2df9acc313fbe891758084fdec1"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.1.7"}]}}],"versions":["0.0.1","0.1.0","0.10.0","0.11.0","0.2.0","0.2.1","0.2.2","0.3.0","0.4.0","0.4.1","0.4.2","0.4.3","0.4.4","0.4.5","0.4.6","0.5.0","0.6.0","0.6.1","0.7.0","0.8.0","0.8.1","0.9.0","1.0.0","1.0.0-beta.1","1.0.0-beta.1.1.0","1.0.0-beta.1.1.1","1.0.0-beta.1.2.0","1.0.0-beta.1.2.1","1.0.0-beta.1.2.2","1.0.0-beta.2.0.0","1.0.0-beta.2.0.1","1.0.0-rc.1.0.0","1.1.0","1.1.1","1.1.2","1.1.3","1.1.4","1.1.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41097.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}