CVE-2023-26135: 
JavaScript vulnerability analysis and mitigation

All versions of the package flatnest are vulnerable to Prototype Pollution via the nest() function in the flatnest/nest.js file. The vulnerability was discovered on December 29, 2022, and was publicly disclosed on June 29, 2023. This security issue affects all versions of the flatnest package, which is a JavaScript library used for flattening and nesting JavaScript objects (Snyk Advisory).

The vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) and has been assigned CVE-2023-26135. The CVSS v3.1 scores vary between sources, with NVD rating it as 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and Snyk rating it as 7.3 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). The vulnerability exists in the nest() function within the flatnest/nest.js file, where improper input validation allows for prototype pollution (NVD).

The vulnerability can lead to Prototype Pollution, which allows an attacker to add or modify properties of the Object.prototype. This can result in several types of attacks including Denial of Service (DoS), potential Remote Code Execution, and Property Injection. In DoS scenarios, the attacker can pollute Object.prototype attributes to cause application failures. For Property Injection, attackers might be able to manipulate security-related properties like privileges or tokens (Snyk Advisory).

A fix has been pushed to the master branch of the project but has not yet been published as a new version. As general mitigation strategies, it is recommended to freeze the prototype using Object.freeze(Object.prototype), implement JSON input schema validation, avoid unsafe recursive merge functions, and consider using objects without prototypes (Object.create(null)) or using Map instead of Object (Snyk Advisory).