CVE-2024-38999:
jrburke requirejs vulnerable to prototype pollution
10
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.69627%
CWE
Published
7/1/2024
Updated
8/4/2024
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
requirejs | npm | <= 2.3.6 | 2.3.7 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- The advisory explicitly names s.contexts._.configure as the vulnerable entry point.
- The Snyk PoC demonstrates exploitation via requirejs.config() with proto payloads.
- The GitHub commit fix adds disallowedProps checks to eachProp() - a utility function used during configuration processing.
- Both functions handle user-provided configuration objects that are recursively merged without prototype protection in vulnerable versions.
- The parse function mentioned in some reports appears to be part of the configuration processing chain but isn't directly called in the primary PoCs.