CVE-2024-12629

Medium

Published: 12 February 2025

Published

12 February 2025

Modified

27 June 2025

KEV Added

—

Patch

—

CVSS Score 4.1 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0005 16.1th percentile

Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12629 is a medium-severity Prototype Pollution (CWE-1321) vulnerability in Progress Kendoreact. Its CVSS base score is 4.1 (Medium).

Operationally, ranked at the 16.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the prototype pollution flaw in KendoReact by requiring timely identification, prioritization, and remediation of the vulnerability via patching.

SI-10 Information Input Validation good match

prevent

Prevents exploitation by validating and sanitizing untrusted inputs to KendoReact components, blocking malicious property modifications to the global prototype chain.

AC-6 Least Privilege partial match

prevent

Mitigates the high privilege requirement (PR:H) for exploitation by enforcing least privilege, limiting who can supply inputs capable of polluting the prototype.

NVD Description

In Progress® Telerik® KendoReact versions v3.5.0 through v9.4.0, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection.

Deeper analysisAI

CVE-2024-12629 is a prototype pollution vulnerability in Progress Telerik KendoReact versions v3.5.0 through v9.4.0. It enables an attacker to introduce or modify properties within the global prototype chain, which can lead to denial of service or command injection. The issue is classified under CWE-1321 and carries a CVSS v3.1 base score of 4.1 (AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L).

Exploitation is possible over the network by an attacker with high privileges, though it requires high attack complexity and no user interaction. Upon success, the attacker can achieve low-level impacts on confidentiality, integrity, and availability, aligning with the potential for denial of service or command injection as described.

The Telerik knowledge base provides details on mitigation in their security advisory at https://www.telerik.com/kendo-react-ui/components/knowledge-base/kb-security-protoype-pollution-2024-12629.

Details

CWE(s): CWE-1321

Affected Products

progress

kendoreact

3.5.0 — 9.4.0

CVEs Like This One

CVE-2024-11628Same vendor: Progress

CVE-2024-56133Same vendor: Progress

CVE-2026-4670Same vendor: Progress

CVE-2025-11235Same vendor: Progress

CVE-2025-13444Same vendor: Progress

CVE-2026-3518Same vendor: Progress

CVE-2024-56134Same vendor: Progress

CVE-2026-3517Same vendor: Progress

CVE-2025-0556Same vendor: Progress

CVE-2025-2324Same vendor: Progress

References

https://www.telerik.com/kendo-react-ui/components/knowledge-base/kb-security-protoype-pollution-2024-12629
Vendor Advisory · security@progress.com