CVE-2024-38996: 
JavaScript vulnerability analysis and mitigation

ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution vulnerability via the _.mergeDeep function. This critical vulnerability, identified as CVE-2024-38996, was assigned a CVSS score of 9.8, indicating its severe nature. The vulnerability was discovered in July 2024 and affects both the community and enterprise versions of the ag-grid package (GitHub Advisory, GitHub Enterprise).

The vulnerability exists in multiple components including .mergeDeep, ModuleSupport.jsonApply, ModuleSupport.setPath, and Util.jsonApply functions. The issue allows attackers to modify the built-in Object.prototype by calling these vulnerable functions with arguments containing a special property proto. This can lead to prototype pollution, where an attacker can alter the behavior of all objects inheriting from the affected prototype (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. The attack can potentially escalate to remote code execution or cross-site scripting attacks depending on the gadgets that may be affected by the attack (GitHub Advisory).

The vulnerability has been patched in version 31.3.4 for version 31 and patch 32.0.2 for version 32 of AG Grid. For AG Charts, patches are available in version 9.3.2 for version 9 and patch 10.0.2 for version 10. Users are recommended to upgrade to these patched versions to address the vulnerability (GitHub Enterprise).