CVE-2021-23574: 
JavaScript vulnerability analysis and mitigation

All versions of the package js-data are vulnerable to Prototype Pollution via the deepFillIn and the set functions. This vulnerability was disclosed on September 13, 2021, and was assigned CVE-2021-23574. This is notably an incomplete fix of a previous vulnerability (CVE-2020-28442) (Snyk NPM).

The vulnerability exists in two functions: deepFillIn and set. The issue allows attackers to inject properties into existing JavaScript language construct prototypes, including magical attributes such as proto, constructor and prototype. When exploited, this can lead to the manipulation of JavaScript application object prototypes of the base object by injecting other values. Properties on the Object.prototype are then inherited by all JavaScript objects through the prototype chain (Snyk NPM).

The vulnerability can lead to multiple severe consequences: denial of service by triggering JavaScript exceptions, tampering with application source code to force specific code paths, and potential remote code execution. When Object holds generic functions implicitly called for various operations (like toString and valueOf), an attacker can pollute Object.prototype attributes and alter their state to unexpected values, causing application failures (Snyk NPM).

Currently, there is no fixed version available for js-data. However, several workarounds can be implemented: freeze the prototype using Object.freeze(Object.prototype), require schema validation of JSON input, avoid using unsafe recursive merge functions, consider using objects without prototypes (Object.create(null)), or use Map instead of Object as a best practice (Snyk NPM).

The vulnerability was reported through the huntr.dev bug bounty platform, indicating active security research interest in the project. Two GitHub issues (#576 and #577) were created to track this vulnerability, demonstrating community awareness and concern (GitHub Issue 576, GitHub Issue 577).