Summary

The `@thi.ng/paths` package versions <= `5.1.62` are vulnerable to prototype pollution via `mutIn` and `mutInManyUnsafe` functions. An attacker can manipulate the prototype of an object, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions. In this post, we see the vulnerability in action and understand the underlying root cause and the fixes for this issue. In this explorative journey, we learn the skill of reading Javascript and some of its funky and weird expressions (syntactic sugar), giving us a taste of source-code review, in a more practical sense!

Description