Miggo Logo

CVE-2024-36580: @cdr0/sg Prototype Pollution

N/A

CVSS Score

Basic Information

EPSS Score
0.26502%
Published
6/17/2024
Updated
6/17/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
@cdr0/sgnpm<= 1.0.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The PoC demonstrates prototype pollution via lib.default.setOn() with 'proto.polluted' path. The vulnerability report specifically references ref.js line 89 as the location of the vulnerable code. The setOn function appears to handle property paths without sanitizing prototype-related keywords, enabling attackers to modify Object.prototype properties through crafted input.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* Prototyp* Pollution issu* in **r* s* *.*.** *llows *n *tt**k*r to *x**ut* *r*itr*ry *o**.

Reasoning

T** Po* **monstr*t*s prototyp* pollution vi* li*.****ult.s*tOn() wit* '__proto__.pollut**' p*t*. T** vuln*r**ility r*port sp**i*i**lly r***r*n**s r**.js lin* ** *s t** lo**tion o* t** vuln*r**l* *o**. T** s*tOn *un*tion *pp**rs to **n*l* prop*rty p*t