CVE-2022-37621 is a critical prototype pollution vulnerability found in the function resolveShims within the resolve-shims.js file of the thlorenz browserify-shim package, version 3.8.15. Prototype pollution is a type of security flaw in JavaScript applications where an attacker can manipulate the prototype of a base object, leading to the modification of properties that are inherited by all objects. This can result in arbitrary code execution, denial of service, or data corruption. The vulnerability arises from improper handling of the fullPath variable in resolve-shims.js, allowing an attacker to inject or modify properties on the Object prototype. The CVSS 3.1 score of 9.8 (critical) reflects the high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), and impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no specific vendor or product name beyond the package is provided, browserify-shim is a widely used JavaScript tool that enables the use of Node.js modules in browser environments by shim wrapping. This vulnerability could be exploited remotely without authentication or user interaction, making it highly dangerous especially in web applications that bundle this package. No known exploits are reported in the wild yet, but the critical nature and ease of exploitation make it a significant threat to any software depending on this package.

For European organizations, the impact of this vulnerability can be substantial, especially those developing or deploying web applications using browserify-shim 3.8.15 or dependent packages. Exploitation could lead to full compromise of web applications, allowing attackers to execute arbitrary code, steal sensitive data, or disrupt services. This is particularly critical for sectors such as finance, healthcare, government, and critical infrastructure where confidentiality and availability are paramount. Since the vulnerability can be exploited remotely without authentication, attackers could leverage it to infiltrate internal networks or pivot to other systems. The widespread use of JavaScript tooling in modern web development means many European companies could be indirectly affected if they use affected dependencies. Additionally, supply chain risks arise if third-party software or libraries incorporate the vulnerable package. The lack of a patch link suggests organizations may need to rely on updated package versions or mitigations from the community or maintainers.

European organizations should first identify all instances of browserify-shim 3.8.15 usage within their codebases and dependencies using software composition analysis tools. Immediate mitigation involves upgrading to a patched or newer version of browserify-shim if available; if no official patch exists, consider removing or replacing the package with alternatives that do not have this vulnerability. Implement strict input validation and sanitization around any functionality that processes or resolves module paths to prevent injection of malicious payloads. Employ runtime protections such as Content Security Policy (CSP) to limit the impact of potential code execution in browsers. Monitor application logs and network traffic for anomalous behavior indicative of exploitation attempts. Additionally, maintain an up-to-date inventory of JavaScript dependencies and apply security updates promptly. For critical applications, consider sandboxing or isolating components that use this package to reduce blast radius. Engage with the open-source community or maintainers to track patch releases and advisories.