CVE-2021-43138: 
JavaScript vulnerability analysis and mitigation

In Async before 2.6.4 and 3.x before 3.2.2, a vulnerability was discovered that allows a malicious user to obtain privileges via the mapValues() method through a prototype pollution attack in the lib/internal/iterator.js createObjectIterator function. The vulnerability was assigned CVE-2021-43138 and was disclosed in April 2022 (NVD).

The vulnerability exists in the createObjectIterator function within lib/internal/iterator.js, which is used by the mapValues() method. The issue stems from improper handling of the 'proto' property during object iteration, which could lead to prototype pollution. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability could allow an attacker to obtain elevated privileges through prototype pollution, potentially leading to unauthorized access to sensitive data, modification of application behavior, or execution of arbitrary code (NVD).

The vulnerability has been fixed in Async versions 2.6.4 and 3.2.2. Users are strongly recommended to upgrade to these or later versions. The fix involves adding a check to skip 'proto' properties during object iteration (GitHub_Changelog).

The vulnerability received significant attention from the developer community, leading to multiple downstream package updates and security patches. Various organizations including Fedora and NetApp have issued security advisories and patches for their products that depend on the affected versions of Async (Fedora_Update, NetApp_Advisory).