CVE-2024-57074
Published: 05 February 2025
Summary
CVE-2024-57074 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 41.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-57074 is a prototype pollution vulnerability in the lib.merge function of xe-utils version 3.5.31. This flaw allows attackers to supply a crafted payload that triggers a Denial of Service (DoS) condition. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high severity primarily due to its impact on availability, and is associated with CWE-400 (Uncontrolled Resource Consumption).
The vulnerability can be exploited remotely over the network with low complexity, requiring no privileges, user interaction, or changes in scope. Any unauthenticated attacker able to interact with an application using the affected xe-utils lib.merge function can supply a malicious payload, leading to resource exhaustion and DoS, disrupting service availability without compromising confidentiality or integrity.
Further details, including a proof-of-concept, are available in the advisory at https://gist.github.com/tariqhawis/82e3eb472d03273a74e40242e8356297. Practitioners should review this reference for reproduction steps and potential mitigation guidance, such as upgrading to a patched version of xe-utils if available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53517
Vulnerability details
A prototype pollution in the lib.merge function of xe-utils v3.5.31 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Prototype pollution in lib.merge directly enables remote application exploitation resulting in resource exhaustion and endpoint DoS (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation requires timely identification and patching of known vulnerabilities like prototype pollution in xe-utils lib.merge, directly preventing DoS exploitation.
Denial-of-service protection implements mechanisms such as rate limiting and resource quotas to limit the effects of resource exhaustion from crafted payloads targeting xe-utils.
Information input validation ensures crafted payloads supplied to the lib.merge function are checked and sanitized to block prototype pollution leading to DoS.