CVE-2024-57068

High

Published: 05 February 2025

Published

05 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0017 38.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57068 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 38.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely flaw remediation, directly preventing exploitation by patching the prototype pollution vulnerability in @tanstack/form-core v0.35.0.

RA-5 Vulnerability Monitoring and Scanning good match

detect

RA-5 requires vulnerability scanning that identifies the presence of CVE-2024-57068 in deployed software components.

SC-5 Denial-of-service Protection partial match

prevent

SC-5 provides denial-of-service protections to mitigate the high availability impact from crafted payloads exploiting this vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Prototype pollution in JS library directly enables remote unauthenticated DoS via crafted input, matching application exploitation for endpoint availability impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A prototype pollution in the lib.mutateMergeDeep function of @tanstack/form-core v0.35.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

Deeper analysisAI

CVE-2024-57068 is a prototype pollution vulnerability in the lib.mutateMergeDeep function of @tanstack/form-core version 0.35.0. This issue allows attackers to cause a Denial of Service (DoS) condition by supplying a crafted payload. The vulnerability is classified under CWE-732 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high availability impact.

Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no authentication privileges or user interaction. Successful exploitation results in a DoS, disrupting service availability without compromising confidentiality or integrity.

Mitigation details are provided in the advisory referenced at https://gist.github.com/tariqhawis/47fe5b1e584e9e573c0933588248d533.

Details

CWE(s): CWE-732

CVEs Like This One

CVE-2025-21564Shared CWE-732

CVE-2024-38337Shared CWE-732

CVE-2025-0064Shared CWE-732

CVE-2026-24834Shared CWE-732

CVE-2025-1067Shared CWE-732

CVE-2026-26102Shared CWE-732

CVE-2025-0066Shared CWE-732

CVE-2025-33088Shared CWE-732

CVE-2025-12985Shared CWE-732

CVE-2025-21325Shared CWE-732

References

https://gist.github.com/tariqhawis/47fe5b1e584e9e573c0933588248d533
cve@mitre.org