CVE-2021-23450: 
JavaScript vulnerability analysis and mitigation

All versions of package dojo are vulnerable to Prototype Pollution via the setObject function. The vulnerability was discovered and disclosed on July 30, 2021, and was assigned identifier CVE-2021-23450. This security issue affects the Dojo JavaScript toolkit, which is a foundation package for the Dojo 1 Toolkit (Snyk Report).

The vulnerability is a Prototype Pollution issue that occurs through the setObject function. A proof of concept demonstrates that an attacker can pollute JavaScript object prototypes by creating an HTML file that uses dojo.setObject to set malicious values. The vulnerability allows injection of properties into existing JavaScript language construct prototypes, such as objects, which can lead to prototype chain pollution (Snyk Report).

When successfully exploited, this vulnerability can lead to either denial of service by triggering JavaScript exceptions or tampering with the application source code to force code path injection, potentially leading to remote code execution. The vulnerability affects multiple environments including application servers, web servers, and web browsers (Snyk Report).

Several mitigation strategies are recommended: freeze the prototype using Object.freeze(Object.prototype), require schema validation of JSON input, avoid using unsafe recursive merge functions, consider using objects without prototypes (Object.create(null)), and use Map instead of Object as a best practice. For Debian 10 buster, this vulnerability has been fixed in version 1.14.2+dfsg1-1+deb10u3 (Debian Advisory).