CVE-2019-10792: 
JavaScript vulnerability analysis and mitigation

The vulnerability (CVE-2019-10792) affects the bodymen package, versions <1.1.1. Bodymen is a Body parser middleware for MongoDB, Express and Nodejs. The vulnerability was published and disclosed on February 17, 2020, and was discovered by JHU System Security Lab (Snyk Report).

This is a Prototype Pollution vulnerability where the handler function could be tricked into adding or modifying properties of Object.prototype using a proto payload. The vulnerability has a CVSS v3.1 base score of 6.3 (Medium), with the vector string Network/Low/Low/None/Unchanged/Low/Low/Low (Snyk Report).

The vulnerability can lead to several types of attacks: Denial of Service (DoS) through manipulation of generic functions like toString and valueOf, potential Remote Code Execution if the codebase evaluates and executes specific attributes, and Property Injection where attackers can pollute properties used for security checks like privileges (Snyk Report).

The vulnerability can be fixed by upgrading bodymen to version 1.1.1 or higher. Additional preventive measures include freezing the prototype using Object.freeze(Object.prototype), requiring schema validation of JSON input, avoiding unsafe recursive merge functions, and considering the use of objects without prototypes or using Map instead of Object (Snyk Report).