CVE-2021-23543: 
JavaScript vulnerability analysis and mitigation

The realms-shim package, a shim implementation of the Realm API Proposal, contains a Sandbox Bypass vulnerability (CVE-2021-23543) that affects all versions. This vulnerability was discovered by Cristian-Alexandru Staicu and Abdullah Alhamdan, disclosed on December 6, 2021, and published on January 7, 2022 (Snyk Advisory).

The vulnerability allows attackers to perform a Sandbox Bypass through a Prototype Pollution attack vector. The issue occurs when properties can be injected into existing JavaScript language construct prototypes, such as objects, by manipulating magical attributes like proto, constructor, and prototype. This manipulation can lead to the pollution of JavaScript application object prototypes of the base object, affecting all JavaScript objects through the prototype chain (Snyk Advisory).

The successful exploitation of this vulnerability can result in multiple severe impacts: denial of service by triggering JavaScript exceptions, tampering with application source code to force specific code paths, and potential remote code execution. The vulnerability has received a CVSS v3.1 base score of 9.8 CRITICAL, indicating high severity across confidentiality, integrity, and availability (Snyk Advisory).

There is no fixed version available for realms-shim. The package has been deprecated with the message that TC39 has taken Realms in a new direction (ShadowRealm) and the security properties of the realms-shim have not been maintained. Recommended mitigations include freezing the prototype using Object.freeze(Object.prototype), requiring schema validation of JSON input, avoiding unsafe recursive merge functions, and considering the use of objects without prototypes or using Map instead of Object (NPM Package, Snyk Advisory).