CVE-2025-28269: 
JavaScript vulnerability analysis and mitigation

A prototype pollution vulnerability (CVE-2025-28269) was discovered in js-object-utilities versions prior to 2.2.1. The vulnerability was identified in the lib.set function, allowing attackers to manipulate object properties through the Object.prototype setter. The issue was discovered by Tariq Hawis and publicly disclosed on April 6, 2025 (GitHub Advisory).

The vulnerability exists in the module.exports function at /node_modules/js-object-utilities/dist/set.js:16:29. An attacker can exploit this by supplying a payload with Object.prototype setter to introduce or modify properties within the global prototype chain. The vulnerability specifically occurs when processing object properties that include 'proto' or 'constructor' keys without proper validation (GitHub Commit). The vulnerability has been assigned a CVSS v4.0 score of 7.0 (High) with the vector string: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P (GitHub Advisory).

The successful exploitation of this vulnerability can lead to denial of service (DoS) at minimum. More severe consequences may include injection-based attacks if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), potentially enabling attackers to execute arbitrary commands within the application's context (GitHub Advisory).

The vulnerability has been patched in version 2.2.1 of js-object-utilities. The fix includes adding protection against prototype pollution by checking for 'proto' or 'constructor' in key parts and returning the object unchanged if these sensitive keys are detected (GitHub Commit). Users are advised to update to version 2.2.1 or later to address this security issue.