Miggo Logo
Miggo Vulnerability Database
CVE-2024-38996

CVE-2024-38996: Prototype pollution in ag-grid-community via the _.mergeDeep function

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-38996
GHSA ID
GHSA-876p-c77m-x2hc
EPSS Score
0.7017%
CWE
CWE-1321
Published
7/1/2024
Updated
9/4/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
ag-grid-enterprisenpm< 31.3.431.3.4
ag-grid-communitynpm< 31.3.431.3.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is explicitly tied to _.mergeDeep in the CVE title and PoC examples. Additional functions (_ModuleSupport.jsonApply, _ModuleSupport.setPath, _Util.jsonApply) are documented in enterprise package Gists as attack vectors. All listed functions handle object merging/path assignment without proper prototype protection, as demonstrated by reproducible PoCs. The AG Grid team's patch (PR #8290) confirms fixes to key handling in merge operations, validating these functions as vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**-*ri*-*ommunity v**.*.* *n* **-*ri*-*nt*rpris* v**.*.* w*r* *is*ov*r** to *ont*in * prototyp* pollution vi* t** _.m*r*****p *un*tion. T*is vuln*r**ility *llows *tt**k*rs to *x**ut* *r*itr*ry *o** or **us* * **ni*l o* S*rvi** (*oS) vi* inj**tin* *r*

Reasoning

T** vuln*r**ility is *xpli*itly ti** to _.m*r*****p in t** *V* titl* *n* Po* *x*mpl*s. ***ition*l *un*tions (_Mo*ul*Support.json*pply, _Mo*ul*Support.s*tP*t*, _Util.json*pply) *r* *o*um*nt** in *nt*rpris* p**k*** *ists *s *tt**k v**tors. *ll list** *