CVE-2023-26106: 
JavaScript vulnerability analysis and mitigation

The dot-lens package is affected by a Prototype Pollution vulnerability identified as CVE-2023-26106. This vulnerability exists in all versions of the package and was discovered in the set() function within the index.js file. The vulnerability was disclosed on January 10, 2023, and published on March 5, 2023 (Snyk Report).

The vulnerability allows for Prototype Pollution through the set() function in index.js file. The issue occurs when the function fails to properly validate user input, allowing manipulation of JavaScript language construct prototypes. The vulnerability has received a CVSS v3.1 base score of 7.5 (High), with attack vector being Network, attack complexity Low, and requiring no privileges or user interaction (Snyk Report).

When exploited, this vulnerability can lead to several consequences: Denial of Service (DoS) by triggering JavaScript exceptions, potential remote code execution by tampering with the application source code, and possible property injection affecting security-critical properties such as cookies or tokens. The vulnerability primarily affects the availability of the system, with the potential for total loss of availability (Snyk Report).

Currently, there is no fixed version available for dot-lens. To mitigate the risk, developers should consider implementing alternative solutions such as freezing the prototype using Object.freeze(Object.prototype), requiring schema validation of JSON input, avoiding unsafe recursive merge functions, or using objects without prototypes (Object.create(null)). As a best practice, using Map instead of Object is recommended (Snyk Report).