CVE-2022-25862: 
JavaScript vulnerability analysis and mitigation

CVE-2022-25862 affects the sds package from version 0.0.0. The vulnerability allows attackers to add or modify properties of the Object.prototype by exploiting the set function located in js/set.js. This vulnerability is particularly notable as it derives from an incomplete fix to CVE-2020-7618 (NVD, Snyk).

The vulnerability is classified as a Prototype Pollution issue (CWE-1321). It has a CVSS v3.1 base score of 7.5 (HIGH) according to NVD, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The vulnerability exists in the set function where insufficient input validation allows manipulation of Object.prototype properties (NVD).

The vulnerability can lead to Prototype Pollution, which could result in denial of service by triggering JavaScript exceptions or potentially lead to remote code execution by tampering with the application source code. The attack can affect all JavaScript objects through the prototype chain (Snyk).

There is no fixed version available for the sds package. Recommended mitigations include freezing the prototype using Object.freeze(Object.prototype), implementing schema validation for JSON input, avoiding unsafe recursive merge functions, and considering the use of objects without prototypes (Object.create(null)) or using Map instead of Object (Snyk).