CVE-2022-25301: 
JavaScript vulnerability analysis and mitigation

All versions of package jsgui-lang-essentials are vulnerable to Prototype Pollution. The vulnerability was discovered and disclosed on December 13, 2021, and was assigned CVE-2022-25301. The vulnerability affects all versions of the package with no fixed version available (Snyk).

The vulnerability exists in the llset() function where the package allows all Object attributes to be altered, including magical attributes such as _proto__, constructor and prototype. This enables attackers to manipulate JavaScript application object prototypes of the base object by injecting other values. Properties on the Object.prototype are then inherited by all JavaScript objects through the prototype chain (Snyk, GitHub Issue).

The vulnerability can lead to multiple severe impacts including denial of service by triggering JavaScript exceptions, tampering with application source code to force attacker-injected code paths, and potential remote code execution. Additionally, attackers can achieve property injection by polluting properties that the codebase relies on for their informative value, including security properties such as cookies or tokens (Snyk).

Since there is no fixed version available, users should implement alternative mitigations such as freezing the prototype using Object.freeze(Object.prototype), requiring schema validation of JSON input, avoiding unsafe recursive merge functions, using objects without prototypes (Object.create(null)), or using Map instead of Object as a best practice (Snyk).