Cyber Resilience

CVE-2024-57074

HighDDoS

Published: 05 February 2025

Published
05 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0019 41.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57074 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 41.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-57074 is a prototype pollution vulnerability in the lib.merge function of xe-utils version 3.5.31. This flaw allows attackers to supply a crafted payload that triggers a Denial of Service (DoS) condition. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high severity primarily due to its impact on availability, and is associated with CWE-400 (Uncontrolled Resource Consumption).

The vulnerability can be exploited remotely over the network with low complexity, requiring no privileges, user interaction, or changes in scope. Any unauthenticated attacker able to interact with an application using the affected xe-utils lib.merge function can supply a malicious payload, leading to resource exhaustion and DoS, disrupting service availability without compromising confidentiality or integrity.

Further details, including a proof-of-concept, are available in the advisory at https://gist.github.com/tariqhawis/82e3eb472d03273a74e40242e8356297. Practitioners should review this reference for reproduction steps and potential mitigation guidance, such as upgrading to a patched version of xe-utils if available.

EU & UK References

Vulnerability details

A prototype pollution in the lib.merge function of xe-utils v3.5.31 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Prototype pollution in lib.merge directly enables remote application exploitation resulting in resource exhaustion and endpoint DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-56921Shared CWE-400
CVE-2026-33538Shared CWE-400
CVE-2026-0517Shared CWE-400
CVE-2026-6051Shared CWE-400
CVE-2026-21945Shared CWE-400
CVE-2026-33750Shared CWE-400
CVE-2024-33618Shared CWE-400
CVE-2025-69534Shared CWE-400
CVE-2025-29487Shared CWE-400
CVE-2025-9278Shared CWE-400

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely identification and patching of known vulnerabilities like prototype pollution in xe-utils lib.merge, directly preventing DoS exploitation.

preventdetect

Denial-of-service protection implements mechanisms such as rate limiting and resource quotas to limit the effects of resource exhaustion from crafted payloads targeting xe-utils.

prevent

Information input validation ensures crafted payloads supplied to the lib.merge function are checked and sanitized to block prototype pollution leading to DoS.

References