CVE-2023-26139: 
JavaScript vulnerability analysis and mitigation

CVE-2023-26139 affects the underscore-keypath package versions from 0.0.11 onwards. The vulnerability was discovered and disclosed on April 10, 2023, and published on July 31, 2023. This vulnerability allows Prototype Pollution through the name argument of the setProperty() function, affecting applications using the underscore-keypath library, which provides key-path mechanism extensions for underscore to access JavaScript objects and arrays (Snyk Advisory, NVD).

The vulnerability exists in the setProperty() function within underscore-keypath.js. The function fails to properly sanitize input, allowing arguments like 'proto' to be processed. The vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes). It has received a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Snyk Advisory).

When exploited, this vulnerability can lead to Prototype Pollution, which allows attackers to inject properties into existing JavaScript language construct prototypes. This can result in denial of service by triggering JavaScript exceptions or potentially lead to remote code execution by tampering with the application source code (Snyk Advisory).

Currently, there is no fixed version available for underscore-keypath. Recommended mitigations include freezing the prototype using Object.freeze(Object.prototype), implementing schema validation for JSON input, avoiding unsafe recursive merge functions, and considering the use of objects without prototypes or using Map instead of Object (Snyk Advisory).