CVE-2020-28503: 
JavaScript vulnerability analysis and mitigation

The package copy-props before version 2.0.5 was discovered to be vulnerable to Prototype Pollution via its main functionality. The vulnerability was assigned CVE-2020-28503 and was disclosed on March 5, 2021 (Snyk).

The vulnerability allows an attacker to inject properties into existing JavaScript language construct prototypes through the main functionality of the package. The vulnerability has a CVSS base score of 7.5, indicating high severity. The attack vector is network-based, with low attack complexity and requires no privileges or user interaction (CISA).

When exploited, this vulnerability can lead to either denial of service by triggering JavaScript exceptions or tampering with the application source code to force the code path that the attacker injects, potentially leading to remote code execution. The vulnerability affects the confidentiality, integrity, and availability of the system, though all at low severity levels (Snyk).

The vulnerability was fixed in version 2.0.5 of copy-props. Users should upgrade to this version or higher to mitigate the risk. Alternative preventive measures include freezing the prototype using Object.freeze(Object.prototype), requiring schema validation of JSON input, avoiding unsafe recursive merge functions, and considering the use of objects without prototypes (Snyk).