I would like to report a prototype pollution attack in cached-path-relative.
It allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain.
module name: cached-path-relativeversion:1.0.1npm page: https://www.npmjs.com/package/cached-path-relative
Memoize the results of the path.relative function. path.relative can be an expensive operation if it happens a lot, and its results shouldn’t change for the same arguments.
352,446 downloads in the last week
If the attacker can control both the path and the cached value, she can deploy a prototype pollution attack and thus overwrite arbitrary properties on Object.prototype.
var relative = require('cached-path-relative');
relative('__proto__', 'x');
console.log({}.x);
Initialize the cache using Object.create(null) or use the Map data structure.
I am not sure how clients of this module use the API, but if attacker can control both the values passed to cached-path-relative, the attacker can write arbitrary properties on Object.prototype.