CVE-2021-4264: 
JavaScript vulnerability analysis and mitigation

A prototype pollution vulnerability was discovered in LinkedIn dustjs versions up to 2.x, disclosed on December 21, 2022. The vulnerability allows attackers to manipulate object prototype attributes through improperly controlled modifications, potentially leading to arbitrary code execution. The issue affects the core functionality of the dustjs template engine (LinkedIn Issue).

The vulnerability exists in the compileBlocks function within dustjs/lib/compiler.js, where the code iterates over block attributes without proper prototype chain checks. This allows an attacker to inject malicious code through prototype pollution. The vulnerability can be exploited remotely, and when combined with vm.runInContext in the loadSource function, it can lead to arbitrary command execution. The vulnerability has been assigned a CVSS v3 Base Score of 8.8, indicating high severity (AttackerKB).

When exploited, this vulnerability allows attackers to execute arbitrary commands on the affected system through prototype pollution. The attack can be launched remotely, and successful exploitation could lead to complete system compromise. The vulnerability is particularly dangerous as it can bypass the vm context restrictions (LinkedIn Issue).

The vulnerability has been fixed in version 3.0.0 of dustjs. The fix includes using Object.create(null) to create objects without prototype chain and improving the vm context security. Users are strongly recommended to upgrade to version 3.0.0 or later to address this security issue (LinkedIn Release, LinkedIn PR).