CVE-2021-23594: 
JavaScript vulnerability analysis and mitigation

All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector. The vulnerability was discovered and disclosed on December 6, 2021, and was assigned CVE-2021-23594. The package realms-shim is a shim implementation of the Realm API Proposal (NPM Package, Snyk Advisory).

The vulnerability allows attackers to exploit Prototype Pollution to bypass sandbox restrictions. The issue received a CVSS v3.1 base score of 9.8 (CRITICAL) from Snyk and 10.0 from NVD, indicating maximum severity. The vulnerability is tracked as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) and CWE-265. The vulnerability stems from the ability to inject properties into existing JavaScript language construct prototypes, which can lead to sandbox bypass through prototype pollution (Snyk Advisory).

Successful exploitation of this vulnerability could allow an attacker to bypass sandbox restrictions through prototype pollution, potentially leading to remote code execution. The vulnerability affects the security properties of the application by allowing manipulation of object prototypes, which can result in either denial of service by triggering JavaScript exceptions or tampering with the application source code to force unintended code execution paths (Snyk Advisory).

There is no fixed version available for realms-shim. The package has been deprecated with the message that TC39 has taken Realms in a new direction (ShadowRealm) and the security properties of the realms-shim have not been maintained. Users are advised to migrate away from this package (NPM Package).