CVE-2021-23561: 
JavaScript vulnerability analysis and mitigation

All versions of package comb are vulnerable to Prototype Pollution via the deepMerge() function. The vulnerability was discovered and disclosed on October 11, 2021, and was assigned CVE-2021-23561. This security issue affects the comb framework for Node.js (Snyk Report).

The vulnerability exists in the deepMerge() function of the comb package, which allows for Prototype Pollution through unsafe recursive merge operations. When the source object contains a property named proto defined with Object.defineProperty(), the merge operation can be exploited to copy properties onto the Object prototype. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (medium severity), with attack vector being Network, attack complexity Low, requiring no privileges or user interaction (Snyk Report).

Successful exploitation of this vulnerability can lead to Denial of Service (DoS) by triggering JavaScript exceptions, property injection, and potentially remote code execution. The attacker can manipulate object prototypes to overwrite or pollute JavaScript application object prototypes of the base object by injecting other values. This can result in either application crashes or tampering with the application source code to force unintended code execution paths (Snyk Report).

There is no fixed version available for the comb package. To mitigate the risk, developers should: freeze the prototype using Object.freeze(Object.prototype), implement schema validation for JSON input, avoid using unsafe recursive merge functions, consider using objects without prototypes (Object.create(null)), and as a best practice, use Map instead of Object (Snyk Report).