@stryker-mutator/util Prototype Pollution Vulnerability Leading to Denial-of-Service

A prototype pollution vulnerability has been identified in version 8.6.0 of the @stryker-mutator/util package. The issue arises in the 'deepMerge' function, where attackers can send a crafted payload to manipulate properties in the global prototype chain. This exploitation can cause a denial-of-service condition and potentially lead to other injection-based attacks, depending on how the library is used within the application. For example, if the polluted property is passed to sensitive Node.js APIs like 'exec' or 'eval', it could allow execution of arbitrary commands in the application's context.

Impact

Exploitation of this vulnerability causes a denial-of-service condition and introduces a prototype pollution issue that could be exploited for further injection-based attacks, depending on the application's use of the library.

Reproduction

To reproduce this vulnerability, import the '@stryker-mutator/util' package and call the 'deepMerge' function with a payload that includes an Object.prototype setter. This will modify the prototype chain and introduce a property, demonstrating the pollution. After the function call, the modified prototype can be observed, confirming the successful exploitation.