CVE-2021-23558: 
JavaScript vulnerability analysis and mitigation

The bmoor package before version 0.10.1 contains a Prototype Pollution vulnerability (CVE-2021-23558). This vulnerability is due to missing sanitization in the set function, which allows attackers to inject properties into existing JavaScript language construct prototypes. The issue derives from an incomplete fix of a previous vulnerability (CVE-2020-7736) (Snyk DB).

The vulnerability exists in the set function where there is insufficient sanitization of array inputs. An attacker can bypass the protection by wrapping dangerous keys (like proto) in an array with just one element. When using bracket notation to access object properties, any key type can be used, and the === operator returns false if the operand types are different. This allows bypassing checks that compare against string values (Snyk Blog).

A successful exploitation of this vulnerability could lead to Prototype Pollution, which can result in denial of service by triggering JavaScript exceptions or potentially lead to remote code execution by tampering with the application source code. The vulnerability has a CVSS score of 7.3 (High) (Snyk DB).

The vulnerability was fixed in version 0.10.1 by converting path components to strings before performing security checks. Users should upgrade to version 0.10.1 or higher to address this vulnerability (Snyk DB).