Cyber Resilience

CVE-2024-12629

Medium

Published: 12 February 2025

Published
12 February 2025
Modified
27 June 2025
KEV Added
Patch
CVSS Score v3.1 4.1 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0005 16.5th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12629 is a medium-severity Prototype Pollution (CWE-1321) vulnerability in Progress Kendoreact. Its CVSS base score is 4.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-12629 is a prototype pollution vulnerability in Progress Telerik KendoReact versions v3.5.0 through v9.4.0. It enables an attacker to introduce or modify properties within the global prototype chain, which can lead to denial of service or command injection. The issue is classified under CWE-1321 and carries a CVSS v3.1 base score of 4.1 (AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L).

Exploitation is possible over the network by an attacker with high privileges, though it requires high attack complexity and no user interaction. Upon success, the attacker can achieve low-level impacts on confidentiality, integrity, and availability, aligning with the potential for denial of service or command injection as described.

The Telerik knowledge base provides details on mitigation in their security advisory at https://www.telerik.com/kendo-react-ui/components/knowledge-base/kb-security-protoype-pollution-2024-12629.

EU & UK References

Vulnerability details

In Progress® Telerik® KendoReact versions v3.5.0 through v9.4.0, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Prototype pollution enables network exploitation of the app (T1190) and facilitates JS-based command injection (T1059.007) or application-layer DoS via crafted properties (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-11628Same vendor: Progress
CVE-2025-11235Same vendor: Progress
CVE-2026-6023Same vendor: Progress
CVE-2026-2699Same vendor: Progress
CVE-2025-13774Same vendor: Progress
CVE-2026-6022Same vendor: Progress
CVE-2025-1758Same vendor: Progress
CVE-2026-4670Same vendor: Progress
CVE-2026-8485Same vendor: Progress
CVE-2026-8488Same vendor: Progress

Affected Assets

progress
kendoreact
3.5.0 — 9.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the prototype pollution flaw in KendoReact by requiring timely identification, prioritization, and remediation of the vulnerability via patching.

prevent

Prevents exploitation by validating and sanitizing untrusted inputs to KendoReact components, blocking malicious property modifications to the global prototype chain.

prevent

Mitigates the high privilege requirement (PR:H) for exploitation by enforcing least privilege, limiting who can supply inputs capable of polluting the prototype.

References