CVE-2021-23417: 
JavaScript vulnerability analysis and mitigation

All versions of package deepmergefn are vulnerable to Prototype Pollution via the deepMerge function. The vulnerability was discovered and disclosed on June 16, 2021, and was assigned CVE-2021-23417 (Debian Security, CISA Bulletin).

The vulnerability exists in the deepMerge function of the deepmergefn package, which allows attackers to manipulate JavaScript's prototype chain. The vulnerability has a CVSS v3.1 base score of 5.6 (medium severity) with the following metrics: Attack Vector: Network, Attack Complexity: High, Privileges Required: None, User Interaction: None, Scope: Unchanged, and Low impact on Confidentiality, Integrity, and Availability (Snyk).

Successful exploitation of this vulnerability could allow an attacker to inject properties into existing JavaScript language construct prototypes. This can lead to denial of service by triggering JavaScript exceptions or potentially lead to remote code execution by tampering with the application source code (Snyk).

There is no fixed version available for the deepmergefn package. Recommended mitigations include: freezing the prototype using Object.freeze(Object.prototype), requiring schema validation of JSON input, avoiding unsafe recursive merge functions, using objects without prototypes (Object.create(null)), and considering using Map instead of Object (Snyk).