CVE-2022-25352: 
JavaScript vulnerability analysis and mitigation

The package libnested before version 1.5.2 contains a Prototype Pollution vulnerability (CVE-2022-25352) via the set function in index.js. This vulnerability derives from an incomplete fix for CVE-2020-28283. The vulnerability was disclosed on January 17, 2022, and published on March 7, 2022 (Snyk).

The vulnerability allows an attacker to inject properties into existing JavaScript language construct prototypes through the set function in index.js. The issue occurs due to improper input sanitization when handling object properties, allowing manipulation of magical attributes such as proto, constructor, and prototype. Properties on the Object.prototype are then inherited by all JavaScript objects through the prototype chain (Snyk). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) by Snyk and 9.8 (Critical) by NVD (NVD).

Successful exploitation of this vulnerability can lead to either denial of service by triggering JavaScript exceptions or tampering with the application source code to force the code path that the attacker injects, potentially leading to remote code execution. The vulnerability can affect the availability of the system, resulting in total loss of availability while the attack is ongoing or persistent denial of service (Snyk).

The vulnerability has been fixed in version 1.5.2. Users should upgrade to version 1.5.2 or higher. Alternative mitigations include: freezing the prototype using Object.freeze(Object.prototype), requiring schema validation of JSON input, avoiding unsafe recursive merge functions, using objects without prototypes (Object.create(null)), and considering using Map instead of Object (Snyk).