Miggo Logo
Miggo Vulnerability Database
CVE-2024-30564

CVE-2024-30564: @andrei-tatar/nora-firebase-common Prototype Pollution vulnerability

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-30564
GHSA ID
GHSA-jjff-q3q4-5hh8
EPSS Score
0.8768%
CWE
CWE-1321
Published
4/18/2024
Updated
4/18/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
@andrei-tatar/nora-firebase-commonnpm>= 1.0.41, < 1.12.31.12.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from updateStateInternal's key iteration logic. The pre-patch code lacked checks for prototype-pollution vectors (proto/constructor/prototype) when recursively merging objects. The commit explicitly adds an 'ignoreKeys' filter to address this, and the test case confirms the fix by verifying proto manipulation is blocked. The CVE description and PoC both target this function's handling of the 'update' parameter, making it the clear entry point for the exploit.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* in*n*r*i-t*t*r nor*-*ir***s*-*ommon **tw**n v.*.*.** *n* v.*.**.* *llows * r*mot* *tt**k*r to *x**ut* *r*itr*ry *o** vi* * *r**t** s*ript to t** up**t*St*t* p*r*m*t*r o* t** up**t*St*t*Int*rn*l m*t*o*.

Reasoning

T** vuln*r**ility st*ms *rom up**t*St*t*Int*rn*l's k*y it*r*tion lo*i*. T** pr*-p*t** *o** l**k** ****ks *or prototyp*-pollution v**tors (__proto__/*onstru*tor/prototyp*) w**n r**ursiv*ly m*r*in* o*j**ts. T** *ommit *xpli*itly ***s *n 'i*nor*K*ys' *i