{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0"
              },
              {
                "fixed": "3.2"
              },
              {
                "introduced": "0"
              },
              {
                "last_affected": "4.0-pre1"
              },
              {
                "introduced": "0"
              },
              {
                "last_affected": "4.0-pre2"
              }
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3de45343ed6d3a413a7fe4ca57daea49a25caedb"
            },
            {
              "introduced": "0"
            },
            {
              "last_affected": "bc573db1251ed21e97642542c218f6c725fe0305"
            },
            {
              "introduced": "0"
            },
            {
              "last_affected": "6285f81c9678c074336d0e5ca16687f46ffbee23"
            },
            {
              "fixed": "784470f3315717abe4920435f24e9d08dae63267"
            }
          ],
          "repo": "https://github.com/graphhopper/graphhopper",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or __proto__ payload.",
  "id": "CVE-2021-23408",
  "modified": "2026-03-14T13:50:41.886541105Z",
  "published": "2021-07-21T16:15:08.613Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/graphhopper/graphhopper/releases/tag/3.1"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/graphhopper/graphhopper/releases/tag/3.2"
    },
    {
      "type": "FIX",
      "url": "https://github.com/graphhopper/graphhopper/pull/2370"
    },
    {
      "type": "EVIDENCE",
      "url": "https://snyk.io/vuln/SNYK-JAVA-COMGRAPHHOPPER-1320114"
    }
  ],
  "related": [
    "SNYK-JAVA-COMGRAPHHOPPER-1320114"
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}