Miggo Logo

CVE-2024-38999:
jrburke requirejs vulnerable to prototype pollution

10

CVSS Score
3.1

Basic Information

EPSS Score
0.69627%
Published
7/1/2024
Updated
8/4/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
requirejsnpm<= 2.3.62.3.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The advisory explicitly names s.contexts._.configure as the vulnerable entry point.
  2. The Snyk PoC demonstrates exploitation via requirejs.config() with proto payloads.
  3. The GitHub commit fix adds disallowedProps checks to eachProp() - a utility function used during configuration processing.
  4. Both functions handle user-provided configuration objects that are recursively merged without prototype protection in vulnerable versions.
  5. The parse function mentioned in some reports appears to be part of the configuration processing chain but isn't directly called in the primary PoCs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

jr*urk* r*quir*js v*.*.* w*s *is*ov*r** to *ont*in * prototyp* pollution vi* t** *un*tion `s.*ont*xts._.*on*i*ur*`. T*is vuln*r**ility *llows *tt**k*rs to *x**ut* *r*itr*ry *o** or **us* * **ni*l o* S*rvi** (*oS) vi* inj**tin* *r*itr*ry prop*rti*s.

Reasoning

*. T** **visory *xpli*itly n*m*s s.*ont*xts._.*on*i*ur* *s t** vuln*r**l* *ntry point. *. T** Snyk Po* **monstr*t*s *xploit*tion vi* r*quir*js.*on*i*() wit* __proto__ p*ylo**s. *. T** *it*u* *ommit *ix ***s *is*llow**Props ****ks to ****Prop() - * ut