GHSA-whpx-q3rq-w8jc: 
JavaScript vulnerability analysis and mitigation

The vulnerability (GHSA-whpx-q3rq-w8jc) affects the SES package (npm) and was discovered in versions prior to 0.16.0. The issue was published on October 19, 2022, and involves the improper hardening of TypedArrays with non-canonical numeric property names in Hardened JavaScript. This vulnerability affects the security mechanism that allows programs to safely share objects with co-tenant programs (GitHub Advisory).

The vulnerability stems from a defect in the harden functionality where properties with names that parse as numbers but are not in their canonical representation (such as '+0' or '' which are equivalent to '0') remain writable after hardening. This occurs because TypedArray instances cannot be frozen with Object.isFrozen, and the system instead makes them non-extensible while making all non-indexed properties non-writable and non-configurable. The issue specifically affects the handling of non-canonical numeric property names in TypedArrays (GitHub Advisory).

The vulnerability could lead to API pollution attacks when TypedArrays are shared between mutually suspicious parties. While hardened TypedArrays are intended to only allow communication through numbers within their bounds, this vulnerability inadvertently creates a mechanism for third parties to communicate arbitrary objects through these non-canonical properties. This affects instances where programs rely on harden to prevent modifications to their API surface (GitHub Advisory).

The vulnerability has been patched in SES version 0.16.0, which ensures that properties with non-canonical numeric representations are properly recognized and made non-configurable. As a workaround, users are advised to avoid sharing TypedArrays between co-tenant programs and instead create wrapper objects that produce read-only views of the underlying data. Collections shared between co-tenant programs should be attenuated to either read- or write-only facets (GitHub Advisory).