Miggo Logo

CVE-2024-39018: @cat5th/key-serializer Prototype Pollution vulnerability

6.3

CVSS Score
3.1

Basic Information

EPSS Score
0.49021%
Published
7/1/2024
Updated
7/31/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
@cat5th/key-serializernpm<= 0.2.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The advisory's PoC demonstrates exploitation through query, set, default.query, and default.set functions using proto payloads. All four entry points show the same pattern of unsafely handling property assignments without prototype protection. The vulnerability stems from improper input sanitization in these key manipulation functions, allowing attackers to modify Object.prototype properties.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**rv*y-woo **t*t*/k*y-s*ri*liz*r v*.*.* w*s *is*ov*r** to *ont*in * prototyp* pollution vi* t** *un*tion "qu*ry". T*is vuln*r**ility *llows *tt**k*rs to *x**ut* *r*itr*ry *o** or **us* * **ni*l o* S*rvi** (*oS) vi* inj**tin* *r*itr*ry prop*rti*s.

Reasoning

T** **visory's Po* **monstr*t*s *xploit*tion t*rou** qu*ry, s*t, ****ult.qu*ry, *n* ****ult.s*t *un*tions usin* __proto__ p*ylo**s. *ll *our *ntry points s*ow t** s*m* p*tt*rn o* uns***ly **n*lin* prop*rty *ssi*nm*nts wit*out prototyp* prot**tion. T*