Brikcss Merge Prototype Pollution Vulnerability

A prototype pollution vulnerability has been identified in the Brikcss Merge package, affecting versions through 1.3.0. This vulnerability allows remote attackers to manipulate object prototype attributes by exploiting the merge function, which improperly sanitizes special keys such as '__proto__', 'constructor.prototype', and 'prototype'. As a result, attackers can inject arbitrary properties into JavaScript's global object prototype, potentially leading to various security issues, including privilege escalation, denial of service, and unexpected application behavior.

Impact

Exploitation of this vulnerability allows for prototype pollution, which can lead to injecting properties into all objects in the application, overriding critical object methods, and causing unexpected application behavior. Additionally, this vulnerability could allow for remote code execution if combined with other vulnerabilities.

Reproduction

To reproduce this vulnerability, import the Brikcss Merge package and use the merge function to merge an object that includes special keys like '__proto__' or 'constructor.prototype'. This will inject properties into the object's prototype, which can be verified by checking the presence of the injected properties.