CVE-2021-23434: 
JavaScript vulnerability analysis and mitigation

A type confusion vulnerability (CVE-2021-23434) was discovered in object-path, a Node.js module used to access deep object properties using dot-separated paths. The vulnerability was disclosed on August 25, 2021, affecting versions prior to 0.11.6. This vulnerability could lead to a bypass of the previous CVE-2020-15256 fix when the path components used in the path parameter are arrays (NVD, Snyk).

The vulnerability occurs because the === operator returns false when the type of the operands is different. Specifically, when path components are arrays, the condition currentPath === 'proto' returns false if currentPath is ['proto'], allowing for prototype pollution attacks. The vulnerability was discovered by Alessio Della Libera of Snyk Research Team (Snyk).

The vulnerability could allow an attacker to perform prototype pollution attacks, which could lead to property injection, denial of service, or in some cases, remote code execution. When exploited, attackers could manipulate JavaScript application object prototypes by injecting malicious values, potentially affecting all JavaScript objects through the prototype chain (Snyk).

The vulnerability has been fixed in version 0.11.6 of object-path. Users are recommended to upgrade to this version or higher. Alternative mitigation strategies include freezing the prototype using Object.freeze(Object.prototype), requiring schema validation of JSON input, avoiding unsafe recursive merge functions, and considering the use of objects without prototypes or using Map instead of Object (Snyk).