CVE-2024-57067
Published: 05 February 2025
Summary
CVE-2024-57067 is a high-severity Prototype Pollution (CWE-1321) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-57067 is a prototype pollution vulnerability in the lib.parse function of the dot-qs v0.2.0 package. This flaw enables attackers to supply a crafted payload that pollutes the JavaScript prototype chain, leading to a Denial of Service (DoS) condition. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is classified under CWE-1321 (Prototype Pollution). It was published on 2025-02-05.
A remote attacker with no required privileges can exploit this vulnerability over the network with low attack complexity and no user interaction. By delivering a specially crafted payload to an application that uses dot-qs v0.2.0 for query string parsing, the attacker triggers prototype pollution, resulting in high-impact disruption to availability, such as application crashes or resource exhaustion.
For details on advisories, patches, or mitigation strategies, refer to the provided reference: https://gist.github.com/tariqhawis/07dca101d8fe059dd11b3b0e1b4a6d46.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53512
Vulnerability details
A prototype pollution in the lib.parse function of dot-qs v0.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network exploitation of the prototype pollution flaw in a query-string parser directly enables T1190 (Exploit Public-Facing Application) and produces application crashes/resource exhaustion that map to T1499.004 (Application or System Exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the prototype pollution vulnerability in dot-qs v0.2.0 by requiring timely patching or replacement of the affected library to prevent DoS exploitation.
Information input validation ensures crafted payloads targeting the lib.parse function are sanitized or rejected before processing, blocking prototype pollution attacks.
Denial-of-service protection limits the impact of resource exhaustion or crashes resulting from prototype pollution in the query string parser.