CVE-2022-24802 is a vulnerability identified in the deepmerge-ts library, a TypeScript utility designed for deep merging of JavaScript objects. The vulnerability is classified under CWE-915, which pertains to the improper control of modifications to dynamically-determined object attributes, commonly known as Prototype Pollution. Specifically, the issue exists in the function defaultMergeRecords() within the deepmerge.ts file. Prototype Pollution occurs when an attacker can manipulate the prototype of a base object, thereby injecting or modifying properties that affect all objects inheriting from that prototype. This can lead to unexpected behavior, including the potential for arbitrary code execution, denial of service, or data corruption. The vulnerability affects all versions of deepmerge-ts prior to 4.0.2, with the issue being patched in version 4.0.2. There are no known workarounds aside from upgrading to the fixed version. While no known exploits have been observed in the wild, the nature of Prototype Pollution vulnerabilities makes them a significant concern, especially in environments where untrusted input is merged into objects without proper validation. The vulnerability does not require authentication or user interaction to be exploited, as it can be triggered by supplying crafted input to the vulnerable function. The scope of affected systems includes any applications or services that incorporate vulnerable versions of deepmerge-ts, which is commonly used in JavaScript and TypeScript projects for object merging operations.

For European organizations, the impact of this vulnerability can be substantial depending on the usage context of deepmerge-ts within their software stacks. Prototype Pollution can compromise the integrity and availability of applications by enabling attackers to alter application logic or cause runtime errors. In web applications, this can lead to client-side or server-side code execution, potentially exposing sensitive data or disrupting services. Organizations relying on vulnerable versions in critical infrastructure, financial services, or public sector applications may face increased risk of data breaches or service outages. Additionally, supply chain risks arise if third-party or internally developed software packages include the vulnerable library, potentially propagating the vulnerability across multiple systems. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits targeting this vulnerability. The medium severity rating reflects moderate impact potential, but the ease of exploitation and broad usage of JavaScript libraries in European enterprises elevate the importance of timely remediation.

The primary and most effective mitigation is to upgrade all instances of deepmerge-ts to version 4.0.2 or later, where the vulnerability is patched. Organizations should conduct a thorough inventory of their software dependencies to identify any usage of deepmerge-ts, including transitive dependencies in larger projects. For environments where immediate upgrading is not feasible, code audits should be performed to identify and restrict the use of the defaultMergeRecords() function or any merging operations that process untrusted input. Implementing input validation and sanitization before merging objects can reduce the risk of Prototype Pollution. Additionally, employing runtime protection mechanisms such as JavaScript sandboxing or integrity checks can help detect anomalous prototype modifications. Continuous monitoring for unusual application behavior and integrating software composition analysis (SCA) tools into the development pipeline will aid in early detection and prevention of vulnerable package usage. Finally, educating development teams about the risks of Prototype Pollution and secure coding practices when handling object merges is crucial to prevent similar vulnerabilities.