CVE-2022-25907: 
JavaScript vulnerability analysis and mitigation

The package ts-deepmerge before version 2.0.2 was discovered to contain a Prototype Pollution vulnerability due to missing sanitization of the merge function (NVD, Snyk). The vulnerability was disclosed on July 25, 2022 and published on August 8, 2022.

The vulnerability exists in the merge function which lacks proper input sanitization, allowing manipulation of JavaScript language construct prototypes. An attacker can inject properties into existing objects through the proto attribute, which gets inherited by all JavaScript objects through the prototype chain. The vulnerability has a CVSS v3.1 base score of 7.5 (High) with Network attack vector, Low attack complexity, and No privileges required (Snyk).

Successful exploitation of this vulnerability could lead to denial of service by triggering JavaScript exceptions, or potentially remote code execution by tampering with the application source code to force specific code paths. The vulnerability could also enable property injection attacks where an attacker pollutes properties that the codebase relies on for security-critical information (Snyk).

The vulnerability was patched in version 2.0.2 by adding safeguards against prototype pollution. Users should upgrade to version 2.0.2 or higher. Alternative mitigation strategies include freezing the prototype using Object.freeze(Object.prototype), requiring schema validation of JSON input, avoiding unsafe recursive merge functions, using objects without prototypes, or using Map instead of Object (Snyk, GitHub Release).