CVE-2023-26105: 
JavaScript vulnerability analysis and mitigation

CVE-2023-26105 affects all versions of the utilities package, which contains a Prototype Pollution vulnerability via the _mix function. The vulnerability was discovered by Yuhan Gao and Peng Zhou, and was disclosed on December 28, 2022 (Snyk Report).

The vulnerability exists in the mix function within utilities/lib/core.js. The issue occurs during object merging operations, specifically at line 65 where mix(targ, sources[i], merge) is called, and at line 41 where targ[p] = src[p] is executed. This allows for prototype pollution through the utilities.i18n.loadLocale() function (GitHub Issue).

When exploited, this vulnerability allows an attacker to modify properties of the Object.prototype, which can lead to denial of service by triggering JavaScript exceptions or potentially enable remote code execution through tampering with the application source code. The vulnerability has received a CVSS score of 7.5 (High), primarily due to its potential impact on system availability (Snyk Report).

Currently, there is no fixed version available for the utilities package. As general mitigation strategies, it is recommended to freeze the prototype using Object.freeze(Object.prototype), implement JSON input schema validation, avoid using unsafe recursive merge functions, and consider using objects without prototypes (Object.create(null)) or using Map instead of Object (Snyk Report).