CVE-2023-26113: 
JavaScript vulnerability analysis and mitigation

CVE-2023-26113 affects versions of the collection.js package before 6.8.1, which contains a Prototype Pollution vulnerability in the extend function located in Collection.js/dist/node/iterators/extend.js. The vulnerability was disclosed on December 29, 2022, and published on March 18, 2023 (NVD, Snyk).

The vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) and has received a CVSS v3.1 base score of 7.5 (HIGH). The attack vector is network-based, with low attack complexity, requiring no privileges or user interaction. The vulnerability exists in the extend function, which allows for prototype pollution through unsafe object recursive merge operations (Snyk).

When exploited, this vulnerability can lead to Denial of Service (DoS) by triggering JavaScript exceptions or potentially enable remote code execution by tampering with the application source code. The vulnerability affects the availability of the system, potentially resulting in total loss of availability while the attack is ongoing or even after it has completed (Snyk).

The vulnerability has been patched in version 6.8.1 of collection.js. Users should upgrade to this version or higher to mitigate the risk. Alternative preventive measures include freezing the prototype using Object.freeze(Object.prototype), implementing JSON input schema validation, avoiding unsafe recursive merge functions, and considering the use of objects without prototypes or using Map instead of Object (Snyk, GitHub Release).