Prototype Pollution Vulnerability in cached-path-relative Package

I would like to report a prototype pollution attack in cached-path-relative. It allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain. # Module **module name:** cached-path-relative **version:** 1.0.1 **npm page:** `https://www.npmjs.com/package/cached-path-relative` ## Module Description Memoize the results of the path.relative function. path.relative can be an expensive operation if it happens a lot, and its results shouldn't change for the same arguments. ## Module Stats 352,446 downloads in the last week # Vulnerability ## Vulnerability Description If the attacker can control both the path and the cached value, she can deploy a prototype pollution attack and thus overwrite arbitrary properties on Object.prototype. ## Steps To Reproduce: ```js var relative = require('cached-path-relative'); relative('__proto__', 'x'); console.log({}.x); ``` ## Patch Initialize the cache using Object.create(null) or use the Map data structure. # Wrap up - I contacted the maintainer to let them know: N - I opened an issue in the related repository: N ## Impact I am not sure how clients of this module use the API, but if attacker can control both the values passed to cached-path-relative, the attacker can write arbitrary properties on Object.prototype.