@tanstack/form-core Prototype Pollution Vulnerability Leading to Denial-of-Service

A prototype pollution vulnerability has been identified in the @tanstack/form-core package, specifically in version 0.35.0. The issue arises in the 'lib.mutateMergeDeep' function, where attackers can send a crafted payload to manipulate properties within the global prototype chain. This exploitation can cause a denial-of-service condition and potentially lead to other injection-based attacks, depending on how the library is used within the application. For example, if the polluted property is passed to sensitive Node.js APIs like 'exec' or 'eval', it could allow execution of arbitrary commands in the application's context.

Impact

Exploitation of this vulnerability causes a denial-of-service condition and introduces a prototype pollution issue that could be exploited for further injection-based attacks, depending on the application's use of the library.

Reproduction

To reproduce this vulnerability, import the '@tanstack/form-core' library and call the 'mutateMergeDeep' function with an object and a payload that includes an Object.prototype setter. This will modify the prototype of the object, demonstrating the prototype pollution. After the function call, the modified prototype can be observed, showing the injected property.