CVE-2021-23397: 
JavaScript vulnerability analysis and mitigation

CVE-2021-23397 affects all versions of the npm package @ianwalter/merge. The vulnerability was discovered and disclosed on June 17, 2021, and published on June 18, 2021. This security issue involves a Prototype Pollution vulnerability in the main (merge) function of the package (Snyk Report).

The vulnerability is classified as a Prototype Pollution issue (CWE-1321) that occurs in the package's main merge function. The CVSS base score is rated as 5.6 (medium) according to Snyk's assessment, while the NVD rates it at 9.8 (critical). The vulnerability allows an attacker to manipulate JavaScript object prototypes through the recursive merge functionality (Snyk Report).

The vulnerability can lead to several types of attacks: Denial of Service (DoS) by manipulating object properties like toString and valueOf, potential Remote Code Execution if the codebase evaluates and executes specific object attributes, and Property Injection where attackers can pollute security-critical properties such as authentication or authorization flags (Snyk Report).

There is no fixed version available for @ianwalter/merge. The maintainer recommends switching to @generates/merger as an alternative. Additional recommended preventive measures include freezing the prototype using Object.freeze(Object.prototype), implementing JSON input schema validation, avoiding unsafe recursive merge functions, and considering the use of objects without prototypes or using Map instead of Object (Snyk Report).