CVE-2024-39001: 
JavaScript vulnerability analysis and mitigation

ag-grid-enterprise v31.3.2 was discovered to contain a prototype pollution vulnerability via the component _ModuleSupport.jsonApply. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. The vulnerability was discovered in July 2024 and affects both ag-grid-enterprise and ag-grid-community packages (NVD, GitHub Advisory).

The vulnerability exists in multiple components including ModuleSupport.jsonApply, ModuleSupport.setPath, Util.jsonApply, and .mergeDeep. An attacker can modify the built-in Object.prototype by calling these vulnerable functions with arguments containing a special property proto to pollute the application logic. The vulnerability has been assigned a CVSS v3.1 base score of 6.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (NVD, GitHub PoC).

The exploitation of this vulnerability can lead to multiple severe consequences including Denial of Service (DoS), remote code execution, or cross-site scripting attacks depending on the gadgets affected by the prototype pollution. The attack can alter the behavior of all objects inheriting from the affected prototype (GitHub Advisory).

The vulnerability has been patched in multiple versions: For AG Grid - version 31.3.4 and 32.0.2, For AG Charts - version 9.3.2 and 10.0.2. Users are recommended to upgrade to these patched versions to address the vulnerability (GitHub Advisory).

The vendor has acknowledged the vulnerability and responded promptly with patches. They have indicated that while older versions may be affected, they are focusing on providing fixes for the latest versions (31 and 32) where the vulnerability was reported (GitHub Discussion).