CVE-2024-57066

High

Published: 05 February 2025

Published

05 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0019 40.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57066 is a high-severity Prototype Pollution (CWE-1321) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws like the prototype pollution in @ndhoule/defaults v2.0.1 to prevent DoS exploitation.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Mandates vulnerability scanning and monitoring to identify the presence of CVE-2024-57066 in npm package dependencies.

SI-10 Information Input Validation partial match

prevent

Validates information inputs to block crafted payloads that trigger prototype pollution in the lib.deep function.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Prototype pollution in public-facing npm package directly enables remote exploitation (T1190) leading to application DoS via crafted input (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A prototype pollution in the lib.deep function of @ndhoule/defaults v2.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

Deeper analysisAI

CVE-2024-57066 is a prototype pollution vulnerability in the lib.deep function of the @ndhoule/defaults npm package version 2.0.1. This flaw allows attackers to manipulate object prototypes by supplying a crafted payload, leading to a Denial of Service (DoS) condition. The vulnerability is classified under CWE-1321 (Prototype Pollution) with a CVSS v3.1 base score of 7.5, reflecting high severity due to its impact on availability.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, authentication, or user interaction (AV:N/AC:L/PR:N/UI:N). By injecting a malicious payload into the lib.deep function, an attacker can pollute the prototype chain, potentially crashing the application or rendering it unresponsive, resulting in high availability impact (A:H) without affecting confidentiality or integrity.

Advisories point to a GitHub Gist for further details on the vulnerability: https://gist.github.com/tariqhawis/8ee7327cc8b78df738cd32505cbbbd44. No specific patches or mitigations are detailed in the provided CVE information.

Details

CWE(s): CWE-1321

CVEs Like This One

CVE-2024-57083Shared CWE-1321

CVE-2024-57069Shared CWE-1321

CVE-2026-30226Shared CWE-1321

CVE-2025-8083Shared CWE-1321

CVE-2026-30939Shared CWE-1321

CVE-2024-57067Shared CWE-1321

CVE-2024-57080Shared CWE-1321

CVE-2026-33993Shared CWE-1321

CVE-2026-28794Shared CWE-1321

CVE-2024-38988Shared CWE-1321

References

https://gist.github.com/tariqhawis/8ee7327cc8b78df738cd32505cbbbd44
cve@mitre.org