CVE-2024-11628
Published: 12 February 2025
Summary
CVE-2024-11628 is a medium-severity Prototype Pollution (CWE-1321) vulnerability in Progress Kendo Ui For Vue. Its CVSS base score is 4.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-11628 is a prototype pollution vulnerability (CWE-1321) in Progress Telerik Kendo UI for Vue, affecting versions v2.4.0 through v6.0.1. The issue allows an attacker to introduce or modify properties within the global prototype chain, which can lead to denial of service or command injection. It received a CVSS v3.1 base score of 4.1 (AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L), indicating low overall severity with network accessibility but high complexity and privilege requirements.
Exploitation is possible by an attacker with high privileges over the network, requiring high attack complexity and no user interaction. Successful exploitation can achieve limited impacts, including low confidentiality, integrity, and availability effects, manifesting as denial of service or command injection through prototype chain manipulation.
Mitigation details are provided in the Telerik knowledge base article at https://www.telerik.com/kendo-vue-ui/components/knowledge-base/kb-security-protoype-pollution-2024-11628.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4543
Vulnerability details
In Progress® Telerik® Kendo UI for Vue versions v2.4.0 through v6.0.1, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Prototype pollution enables exploitation of the public-facing Vue component (T1190) and facilitates command injection leading to arbitrary command execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely identification, reporting, and correction of software flaws like the prototype pollution in CVE-2024-11628 affecting Telerik Kendo UI for Vue.
Enables automated and periodic vulnerability scanning to identify deployments of vulnerable Telerik Kendo UI for Vue versions subject to CVE-2024-11628.
Mitigates prototype pollution attacks by requiring validation and sanitization of untrusted inputs that could introduce or modify global prototype chain properties.