robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function objectMergeDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
An attacker can inject arbitrary properties into the JavaScript object prototype through the vulnerable objectMergeDeep function. The prototype pollution mechanism works by manipulating the __proto__ or constructor property of an object, which leads to contamination of the global prototype and affects the behavior of all objects in the application. This allows for arbitrary code execution or disruption of application functionality.
An attacker can remotely execute arbitrary code on the server (RCE) or cause denial of service (DoS) by injecting malicious properties into the prototype. Due to the network-based nature of the attack (without requiring privileges and user interaction) and full impact on confidentiality, integrity, and availability, the consequences may include complete system compromise.
Apply patches available from the vendor according to the references. It is recommended to update the fast-loops library to a version higher than 1.1.3 and verify all locations in the application code where the objectMergeDeep function is used with external data.
robinweser fast-loops library version 1.1.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H