Miggo Logo
Miggo Vulnerability Database
CVE-2024-57082

CVE-2024-57082:
@rpldy/uploader prototype pollution

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-57082
GHSA ID
GHSA-pc47-g7gv-4gpw
EPSS Score
0.17625%
CWE
CWE-1321
Published
2/6/2025
Updated
2/21/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
@rpldy/uploadernpm< 1.9.11.9.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper input sanitization in object manipulation utilities used by createUploader. The commit shows fixes in merge.js (added 'proto' filtering), isPlainObject.js (added prototype checks), and new prototype pollution tests. Since createUploader consumes user configuration through these utilities, all these functions were vulnerable entry points. The high confidence comes from explicit prototype pollution tests added in the commit and CWE-1321 alignment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* prototyp* pollution in t** li*.*r**t*Uplo***r *un*tion o* @rpl*y/uplo***r v*.*.* *llows *tt**k*rs to **us* * **ni*l o* S*rvi** (*oS) vi* supplyin* * *r**t** p*ylo**.

Reasoning

T** vuln*r**ility st*ms *rom improp*r input s*nitiz*tion in o*j**t m*nipul*tion utiliti*s us** *y *r**t*Uplo***r. T** *ommit s*ows *ix*s in m*r**.js (***** '__proto__' *ilt*rin*), isPl*inO*j**t.js (***** prototyp* ****ks), *n* n*w prototyp* pollution