Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2024-36574
CVE-2024-36574:
JavaScript vulnerability analysis and mitigation
Overview
A Prototype Pollution vulnerability was discovered in flatten-json version 1.0.1. The vulnerability exists in the module.exports.unflattenJSON function located at flatten-json/index.js:42, which allows an attacker to execute arbitrary code (NVD, GitHub Gist).
Technical details
The vulnerability stems from unsafe property assignment from source to destination in the unflattenJSON function. The issue has a CVSS Score of 6.3 (MEDIUM). The vulnerability allows attackers to inject malicious payloads through the built-in Object's special properties proto or constructor.prototype, which can lead to prototype pollution (GitHub Gist).
Impact
Successful exploitation of this vulnerability can lead to multiple security impacts including Denial of Service (DoS), Remote Code Execution (RCE), or Cross-Site Scripting (XSS) attacks through prototype pollution (GitHub Gist).
Mitigation and workarounds
No official patch has been released by the maintainer. Users are advised to implement proper sanitization and validation of user-supplied inputs, specifically by blocking inputs containing proto and constructor.prototype (GitHub Gist).
Additional resources
Source: This report was generated using AI
Related JavaScript vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management