CVE-2022-25878: 
JavaScript vulnerability analysis and mitigation

The vulnerability CVE-2022-25878 affects protobufjs versions before 6.11.3, which is a protocol buffer library for JavaScript and TypeScript. The vulnerability was discovered and disclosed on April 6, 2022, and allows attackers to perform Prototype Pollution attacks by adding or modifying properties of the Object.prototype (Snyk DB).

The vulnerability is a Prototype Pollution issue that can be exploited in multiple ways: by providing untrusted user input to util.setProperty or ReflectionObject.setParsedOption functions, or by parsing/loading .proto files. The vulnerability has a CVSS v3.1 base score of 8.2 (High severity), with attack vector being Network, attack complexity Low, and requiring no privileges or user interaction (Snyk DB).

When successfully exploited, this vulnerability can lead to several impacts: Denial of Service (DoS) by polluting Object.prototype attributes used in generic operations, potential Remote Code Execution if the codebase evaluates and executes specific object attributes, and Property Injection where attackers can modify security-critical properties like access control flags (Snyk DB).

The recommended mitigation is to upgrade protobufjs to version 6.11.3 or higher. For prevention, it is recommended to freeze the prototype using Object.freeze(Object.prototype), implement schema validation for JSON input, avoid unsafe recursive merge functions, and consider using objects without prototypes or using Map instead of Object (Snyk DB).