Cyber Resilience

CVE-2024-57064

High

Published: 05 February 2025

Published
05 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0026 49.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57064 is a high-severity Prototype Pollution (CWE-1321) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 49.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-57064 is a prototype pollution vulnerability (CWE-1321) in the lib.setValue function of the @syncfusion/ej2-spreadsheet npm package version 27.2.2. Published on 2025-02-05, it enables attackers to trigger a Denial of Service (DoS) by supplying a crafted payload. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The supplier disputes the issue, asserting that the lib.setValue function is not utilized.

Attackers can exploit this remotely over the network with low attack complexity, requiring no privileges, authentication, or user interaction. Exploitation involves injecting a crafted payload into the vulnerable function, resulting in high-impact disruption to availability and causing a DoS condition without affecting confidentiality or integrity.

Advisories provide limited mitigation details, with the primary reference being a GitHub Gist at https://gist.github.com/tariqhawis/1b40dc7f3836813663c871535039760e. Practitioners should verify usage of the lib.setValue function in affected deployments and consider upgrading to newer versions of @syncfusion/ej2-spreadsheet if available, while awaiting further clarification on the supplier's dispute.

EU & UK References

Vulnerability details

A prototype pollution in the lib.setValue function of @syncfusion/ej2-spreadsheet v27.2.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. NOTE: the Supplier disputes this because they found that the lib.setValue function is not utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Prototype pollution in JS library directly enables remote DoS via crafted payload exploitation of the application (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-57063Shared CWE-1321
CVE-2024-57086Shared CWE-1321
CVE-2024-57071Shared CWE-1321
CVE-2025-57321Shared CWE-1321
CVE-2024-57084Shared CWE-1321
CVE-2025-57350Shared CWE-1321
CVE-2025-70956Shared CWE-1321
CVE-2024-57065Shared CWE-1321
CVE-2026-32886Shared CWE-1321
CVE-2024-57078Shared CWE-1321

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the prototype pollution vulnerability by requiring identification, reporting, and correction of flaws in the vulnerable @syncfusion/ej2-spreadsheet v27.2.2 package through patching or upgrades.

prevent

Prevents exploitation of the lib.setValue function by validating crafted payloads that enable prototype pollution leading to DoS.

preventdetect

Addresses the high-impact DoS outcome of prototype pollution by protecting system availability against network-based denial-of-service events.

References