CVE-2021-23408: 
Java vulnerability analysis and mitigation

The vulnerability CVE-2021-23408 affects the package com.graphhopper:graphhopper-web-bundle before version 3.2, and from 4.0-pre1 and before 4.0. This security issue was discovered and disclosed on July 20, 2021, where the URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload (Snyk Advisory).

The vulnerability is classified as a Prototype Pollution issue (CWE-1321) with a CVSS v3.1 base score of 4.3 (MEDIUM) according to NVD, and 5.4 (MEDIUM) according to Snyk. The attack vector is Network-based (AV:N), with Low attack complexity (AC:L), requiring No privileges (PR:N), and User interaction (UI:R). The scope is Unchanged (S:U), with Low impact on confidentiality and no impact on integrity (NVD Database).

The vulnerability can lead to several types of attacks including Denial of Service (DoS), where Object's generic functions can be manipulated to cause service disruptions. Additionally, it could potentially enable Property Injection, where attackers can pollute properties that the codebase relies on for their informative value, including security properties such as cookies or tokens (Snyk Advisory).

The vulnerability was patched in version 3.2 and version 4.0 of the graphhopper-web-bundle. Users should upgrade to these versions or higher to mitigate the risk. Additionally, general preventive measures include freezing the prototype using Object.freeze(Object.prototype), requiring schema validation of JSON input, avoiding unsafe recursive merge functions, and considering using objects without prototypes (GitHub Release).

The GraphHopper team responded quickly to the vulnerability by releasing version 3.2 as a security fix release, which they highly recommended users to upgrade to (GitHub Release).