CVE-2023-45811: 
JavaScript vulnerability analysis and mitigation

A prototype pollution vulnerability (CVE-2023-45811) was discovered in Synchrony deobfuscator, a JavaScript cleaner & deobfuscator, affecting versions 2.0.1 through 2.4.3. The vulnerability was disclosed on October 17, 2023, and impacts the LiteralMap transformer component of the software. This security issue allows crafted input to modify properties in the Object prototype (GitHub Advisory).

The vulnerability is classified as a CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) issue. It received a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. The vulnerability specifically exists in the LiteralMap transformer, where improper handling of __proto__ properties can lead to prototype pollution (NVD).

When executing in Node.js, the vulnerability can lead to arbitrary code execution. This is particularly dangerous due to the software's use of the prettier module, as defining a parser property on __proto__ with a path to a JavaScript module on disk causes a require of the value, enabling arbitrary code execution (GitHub Advisory).

Users are advised to upgrade to Synchrony version 2.4.4 which contains the fix for this vulnerability. For those unable to upgrade immediately, a workaround is available by launching Node.js with either the --disable-proto=delete or --disable-proto=throw flags (GitHub Advisory).