CVE-2024-57064
Published: 05 February 2025
Summary
CVE-2024-57064 is a high-severity Prototype Pollution (CWE-1321) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 49.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-57064 is a prototype pollution vulnerability (CWE-1321) in the lib.setValue function of the @syncfusion/ej2-spreadsheet npm package version 27.2.2. Published on 2025-02-05, it enables attackers to trigger a Denial of Service (DoS) by supplying a crafted payload. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The supplier disputes the issue, asserting that the lib.setValue function is not utilized.
Attackers can exploit this remotely over the network with low attack complexity, requiring no privileges, authentication, or user interaction. Exploitation involves injecting a crafted payload into the vulnerable function, resulting in high-impact disruption to availability and causing a DoS condition without affecting confidentiality or integrity.
Advisories provide limited mitigation details, with the primary reference being a GitHub Gist at https://gist.github.com/tariqhawis/1b40dc7f3836813663c871535039760e. Practitioners should verify usage of the lib.setValue function in affected deployments and consider upgrading to newer versions of @syncfusion/ej2-spreadsheet if available, while awaiting further clarification on the supplier's dispute.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53509
Vulnerability details
A prototype pollution in the lib.setValue function of @syncfusion/ej2-spreadsheet v27.2.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. NOTE: the Supplier disputes this because they found that the lib.setValue function is not utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Prototype pollution in JS library directly enables remote DoS via crafted payload exploitation of the application (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the prototype pollution vulnerability by requiring identification, reporting, and correction of flaws in the vulnerable @syncfusion/ej2-spreadsheet v27.2.2 package through patching or upgrades.
Prevents exploitation of the lib.setValue function by validating crafted payloads that enable prototype pollution leading to DoS.
Addresses the high-impact DoS outcome of prototype pollution by protecting system availability against network-based denial-of-service events.