Style Dictionary is affected by a high-severity prototype pollution vulnerability that could lead to arbitrary code execution or application instability.

The vulnerability is a prototype pollution flaw, which occurs when an attacker can inject properties into existing JavaScript language constructs. This can lead to the modification of application logic or, in certain contexts, remote code execution.

Prototype pollution is a critical concern for build systems and CI/CD pipelines, as it can allow attackers to influence the output of the build process. With a CVSS score of 8.8, this vulnerability poses a significant risk to the integrity of the software supply chain, potentially allowing for the injection of malicious styles or scripts into downstream applications.

Immediate Action: Upgrade to the latest patched version of Style Dictionary immediately to neutralize the prototype pollution risk.

Proactive Monitoring: Audit CI/CD build logs for unexpected modifications to build artifacts or configuration files.

Compensating Controls: Restrict the environment where build systems execute to minimize the impact of potential code execution, and employ static analysis tools to detect prototype pollution patterns.

Public Exploit Available: false

Developers should prioritize updating Style Dictionary to the latest version to prevent potential supply chain attacks. Given the nature of prototype pollution, it is essential to verify the integrity of recent builds to ensure that no malicious code was injected during the period the system was vulnerable.