CVE-2021-4307: 
JavaScript vulnerability analysis and mitigation

A critical prototype pollution vulnerability was discovered in Yomguithereal Baobab versions up to 2.6.0. The vulnerability was identified and fixed in January 2021, affecting the npm package baobab. This security issue impacts applications using vulnerable versions of the package (FortiGuard Labs).

The vulnerability allows an attacker to inject properties into existing JavaScript language construct prototypes. JavaScript's design allows Object attributes to be altered, including magical attributes like proto, constructor and prototype. Through prototype pollution, an attacker could manipulate these attributes to overwrite the JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all JavaScript objects through the prototype chain (GitHub PR).

If successfully exploited, this vulnerability could allow an attacker to modify properties of objects that would otherwise be inaccessible. This could potentially be chained with other vulnerabilities like DOM-based XSS, Open Redirection, Cookie Manipulation, Link Manipulation, and HTML Injection. At minimum, it could lead to a Denial of Service condition (GitHub PR).

The vulnerability has been fixed in version 2.6.1 of baobab. The fix was implemented by adding checks to prevent modification of object prototype properties. Users should upgrade to version 2.6.1 or later to mitigate this vulnerability (FortiGuard Labs, GitHub Release).