CVE-2024-24292

CriticalPublic PoC

Published: 28 March 2025

Published

28 March 2025

Modified

17 April 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0029 52.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-24292 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Aliconnect Software Development Kit. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and correction of flaws like the prototype pollution vulnerability in Aliconnect/sdk v0.0.6 to prevent arbitrary code execution.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Mandates vulnerability scanning to identify systems using the vulnerable Aliconnect/sdk version affected by CVE-2024-24292.

SI-10 Information Input Validation partial match

prevent

Requires validation of untrusted inputs to the aim function, mitigating crafted payloads that exploit the prototype pollution leading to arbitrary code execution.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

Why these techniques?

Remote unauthenticated RCE via prototype pollution in JS SDK directly maps to exploiting public-facing apps (T1190) and JS-based command/script execution (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function in the aim.js component.

Deeper analysisAI

CVE-2024-24292 is a Prototype Pollution vulnerability, classified under CWE-1321, affecting Aliconnect /sdk version 0.0.6. The flaw exists in the aim function within the aim.js component, enabling an attacker to execute arbitrary code by polluting the JavaScript prototype chain.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low attack complexity, no required privileges, and no user interaction. An unauthenticated attacker can achieve high impacts on confidentiality, integrity, and availability through arbitrary code execution on affected systems.

Mitigation details and further analysis are provided in the referenced advisory at https://gist.github.com/tariqhawis/a8b2c936622c885558173c37df0a77d9.

Details

CWE(s): CWE-1321

Affected Products

aliconnect

software development kit

0.0.6

CVEs Like This One

CVE-2024-38985Shared CWE-1321

CVE-2026-25881Shared CWE-1321

CVE-2026-33228Shared CWE-1321

CVE-2026-25754Shared CWE-1321

CVE-2026-26021Shared CWE-1321

CVE-2026-28794Shared CWE-1321

CVE-2024-38988Shared CWE-1321

CVE-2026-2964Shared CWE-1321

CVE-2025-61140Shared CWE-1321

CVE-2026-34221Shared CWE-1321

References

https://gist.github.com/tariqhawis/a8b2c936622c885558173c37df0a77d9
Exploit, Mitigation · cve@mitre.org
https://gist.github.com/tariqhawis/a8b2c936622c885558173c37df0a77d9
Exploit, Mitigation · 134c704f-9b21-4f2e-91b3-4a467353bcc0