CVE-2024-21529: 
JavaScript vulnerability analysis and mitigation

CVE-2024-21529 affects versions of the package dset before 3.1.4, which is vulnerable to Prototype Pollution via the dset function. The vulnerability was discovered and disclosed on March 30, 2024, and published on September 10, 2024. The vulnerability exists due to improper user input sanitization in the dset package, which is a utility for writing deep Object values (NVD, Snyk).

The vulnerability allows attackers to inject malicious object properties using the built-in Object property proto, which is recursively assigned to all objects in the program. The vulnerability has been assigned a CVSS v3.1 base score of 8.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L. The issue is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) (NVD, Snyk).

When successfully exploited, this vulnerability can lead to Prototype Pollution attacks, which can result in property injection, denial of service, or potentially remote code execution in certain circumstances. The vulnerability has significant impact on integrity and limited impact on availability, while there is no direct impact on confidentiality (Snyk).

The vulnerability has been fixed in version 3.1.4 of the dset package. Users are recommended to upgrade to this version or higher. The fix prevents proto assignment via implicit string, as implemented in the patch (GitHub Commit, Snyk).