CVE-2024-38986:Prototype Pollution vulnerability in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and other impacts via merge methods of lodash to merge objects.

splash
Back

Description Preview

The CVE-2024-38986 describes a Prototype Pollution vulnerability in the deep-merge package version 1.1.1 developed by 75lb. This vulnerability allows attackers to manipulate the prototype of objects, potentially leading to the execution of arbitrary code, Denial of Service (DoS) attacks, and other impacts when using merge methods of lodash to merge objects.

Overview

The vulnerability is classified as CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The CVSS v3.1 base score for this vulnerability is 9.8, indicating a critical severity level. The attack vector is through the network, with low attack complexity and no privileges required. The impact includes high confidentiality, integrity, and availability impacts.

Remediation

To remediate this vulnerability, users are advised to update the deep-merge package to a version that is not affected by the Prototype Pollution issue. In this case, upgrading to a version beyond 1.1.1 that addresses the vulnerability is recommended. Additionally, developers should avoid using vulnerable merge methods that could be exploited by attackers to manipulate object prototypes.

References

  1. CVE-2024-38986 Details: CVE-2024-38986
  2. CWE-1321 Description: CWE-1321
  3. Vendor Reference: 75lb deep-merge

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Management of Companies & Enterprises
    Management of Companies & Enterprises
  2. Manufacturing
    Manufacturing
  3. Finance and Insurance
    Finance and Insurance
  4. Public Administration
    Public Administration
  5. Retail Trade
    Retail Trade
  6. Transportation & Warehousing
    Transportation & Warehousing
  7. Accommodation & Food Services
    Accommodation & Food Services
  8. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  9. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  10. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  11. Construction
    Construction
  12. Educational Services
    Educational Services
  13. Health Care & Social Assistance
    Health Care & Social Assistance
  14. Information
    Information
  15. Mining
    Mining
  16. Other Services (except Public Administration)
    Other Services (except Public Administration)
  17. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  18. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  19. Utilities
    Utilities
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background