CVE-2024-57072
Published: 05 February 2025
Summary
CVE-2024-57072 is a high-severity Prototype Pollution (CWE-1321) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-57072 is a prototype pollution vulnerability in the lib.requireFromString function of the module-from-string package at version 3.3.1. This flaw allows attackers to supply a crafted payload that pollutes the JavaScript prototype chain, leading to a Denial of Service (DoS) condition. The vulnerability is classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its impact on availability.
The vulnerability can be exploited remotely over the network by unauthenticated attackers with no privileges or user interaction required. An attacker simply needs to provide a malicious payload to an application using the affected function, triggering prototype pollution that disrupts normal execution and causes the service to crash or become unresponsive, resulting in a DoS.
For mitigation details, refer to the advisory at https://gist.github.com/tariqhawis/8b1fe301dd1ea52952cef347daddee67.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53516
Vulnerability details
A prototype pollution in the lib.requireFromString function of module-from-string v3.3.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Prototype pollution input directly triggers application crash/Denial of Service via exploitation of the vulnerable function, matching T1499.004 (Application or System Exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the prototype pollution vulnerability in module-from-string v3.3.1 by requiring timely patching or replacement to prevent DoS exploitation.
Information input validation prevents crafted payloads from polluting the JavaScript prototype chain in lib.requireFromString by sanitizing untrusted string inputs.
Denial-of-service protection mitigates the availability impact of prototype pollution-induced crashes through rate limiting and resource controls.