Name of the Vulnerable Software and Affected Versions:

js-toml versions prior to 1.0.2

Description:

A prototype pollution vulnerability in js-toml allows a remote attacker to add or modify properties of the global `Object.prototype` by parsing a maliciously crafted TOML input. This can lead to severe security vulnerabilities in applications that use the library, potentially including authentication bypass, Denial of Service (DoS), or Remote Code Execution (RCE), depending on the application's logic and dependencies. The vulnerability occurs when parsing a TOML string containing the specially crafted key ` proto `.

Recommendations:

Upgrade to version 1.0.2 or later to mitigate this issue.

Ensure that any TOML input being passed to the js-toml library is from a fully trusted source and has been validated to not contain malicious keys.