Cyber Resilience

CVE-2024-11628

Medium

Published: 12 February 2025

Published
12 February 2025
Modified
27 June 2025
KEV Added
Patch
CVSS Score v3.1 4.1 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0007 21.2th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11628 is a medium-severity Prototype Pollution (CWE-1321) vulnerability in Progress Kendo Ui For Vue. Its CVSS base score is 4.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-11628 is a prototype pollution vulnerability (CWE-1321) in Progress Telerik Kendo UI for Vue, affecting versions v2.4.0 through v6.0.1. The issue allows an attacker to introduce or modify properties within the global prototype chain, which can lead to denial of service or command injection. It received a CVSS v3.1 base score of 4.1 (AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L), indicating low overall severity with network accessibility but high complexity and privilege requirements.

Exploitation is possible by an attacker with high privileges over the network, requiring high attack complexity and no user interaction. Successful exploitation can achieve limited impacts, including low confidentiality, integrity, and availability effects, manifesting as denial of service or command injection through prototype chain manipulation.

Mitigation details are provided in the Telerik knowledge base article at https://www.telerik.com/kendo-vue-ui/components/knowledge-base/kb-security-protoype-pollution-2024-11628.

EU & UK References

Vulnerability details

In Progress® Telerik® Kendo UI for Vue versions v2.4.0 through v6.0.1, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Prototype pollution enables exploitation of the public-facing Vue component (T1190) and facilitates command injection leading to arbitrary command execution (T1059).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-12629Same vendor: Progress
CVE-2026-3692Same vendor: Progress
CVE-2026-6023Same vendor: Progress
CVE-2026-2699Same vendor: Progress
CVE-2025-13774Same vendor: Progress
CVE-2026-4670Same vendor: Progress
CVE-2024-56135Same vendor: Progress
CVE-2026-4048Same vendor: Progress
CVE-2024-12251Same vendor: Progress
CVE-2025-11235Same vendor: Progress

Affected Assets

progress
kendo ui for vue
2.4.0 — 6.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, reporting, and correction of software flaws like the prototype pollution in CVE-2024-11628 affecting Telerik Kendo UI for Vue.

detect

Enables automated and periodic vulnerability scanning to identify deployments of vulnerable Telerik Kendo UI for Vue versions subject to CVE-2024-11628.

prevent

Mitigates prototype pollution attacks by requiring validation and sanitization of untrusted inputs that could introduce or modify global prototype chain properties.

References