CVE-2023-26133: 
JavaScript vulnerability analysis and mitigation

All versions of the package progressbar.js are vulnerable to Prototype Pollution (CVE-2023-26133). The vulnerability was discovered in the extend() function within the utils.js file. The issue was disclosed on December 28, 2022, and published on June 11, 2023 (Snyk Advisory).

The vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), with a CVSS v3.1 base score of 9.8 CRITICAL according to NVD, while Snyk rates it at 8.2 HIGH. The issue exists in the extend() function in utils.js, which allows for prototype pollution through unsafe object recursive merge operations (NVD Database).

When exploited, this vulnerability can lead to Prototype Pollution, which allows an attacker to inject properties into existing JavaScript language construct prototypes. This can result in denial of service by triggering JavaScript exceptions or potentially lead to remote code execution by tampering with the application source code (Snyk Advisory).

The vulnerability has been fixed in progressbar.js version 1.1.1. Users should upgrade to this version or higher. Alternative mitigations include freezing the prototype using Object.freeze(Object.prototype), implementing JSON input schema validation, avoiding unsafe recursive merge functions, or using objects without prototypes (Snyk Advisory).