GHSA-5rrq-pxf6-6jx5: 
JavaScript vulnerability analysis and mitigation

A prototype pollution vulnerability (GHSA-5rrq-pxf6-6jx5) was discovered in the node-forge debug API affecting versions prior to 1.0.0. The vulnerability was published on January 6, 2022, and last updated on January 11, 2023. This security issue specifically impacts the forge.debug API in the node-forge npm package (GitHub Advisory).

The vulnerability is classified as a CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) with a Low severity rating. The issue manifests as a prototype pollution vulnerability when the forge.debug API is called with untrusted input. The API was primarily intended for internal debugging purposes and was neither documented nor advertised for public use (GitHub Advisory).

The impact of this vulnerability is considered low as the affected API was only used for internal debug purposes in a safe way. It is believed that any existing implementations of this API would likely not have used untrusted inputs in a vulnerable manner (GitHub Advisory).

The vulnerability has been patched in version 1.0.0 of node-forge by completely removing the forge.debug API and related functions. For users unable to upgrade, the recommended workaround is to avoid using the forge.debug API directly or indirectly with untrusted input (GitHub Advisory).