CVE-2022-25354: 
JavaScript vulnerability analysis and mitigation

The package set-in before version 2.0.3 is vulnerable to Prototype Pollution via the setIn method. This vulnerability allows an attacker to merge object prototypes into it, potentially leading to security issues. This vulnerability (CVE-2022-25354) was discovered on March 17, 2022, and derives from an incomplete fix of CVE-2020-28273 (NVD, Snyk).

The vulnerability exists in the setIn method implementation, where improper input sanitization allows manipulation of object prototypes. The vulnerability has a CVSS v3.1 base score of 9.8 (CRITICAL) according to NVD, and 8.6 (HIGH) according to Snyk. The vulnerability is tracked as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) (NVD).

Successful exploitation of this vulnerability could allow an attacker to modify properties within the global prototype chain. This can lead to denial of service (DoS) at minimum, and potentially escalate to other injection-based attacks. If the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable arbitrary command execution within the application's context (Snyk).

The vulnerability has been patched in version 2.0.3. Users should upgrade to this version or higher to address the security issue. The fix involves improved validation of path arguments to prevent prototype pollution attacks (GitHub Patch).