CVE-2021-23507: 
JavaScript vulnerability analysis and mitigation

The package object-path-set before version 1.0.2 contains a prototype pollution vulnerability via the setPath method, which allows an attacker to merge object prototypes into it. This vulnerability is particularly notable as it derives from an incomplete fix of a previous vulnerability (SNYK-JS-OBJECTPATHSET-607908) (NVD).

The vulnerability exists in the setPath method implementation where input validation can be bypassed. The vulnerability has a CVSS v3.1 base score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue stems from improper validation of array-type inputs that can be used to bypass the existing prototype pollution checks (Snyk Blog).

When successfully exploited, this vulnerability allows attackers to modify object prototypes, which can lead to denial of service (DoS) at minimum. The vulnerability affects the confidentiality, integrity, and availability of the system with high severity ratings for each (NVD).

The vulnerability has been fixed in version 1.0.2 of the object-path-set package. The fix involves converting path components to strings before validation checks are performed. Users should upgrade to version 1.0.2 or later to address this vulnerability (Github Patch).