CVE-2024-57077

Critical

Published: 05 February 2025

Published

05 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0021 43.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57077 is a critical-severity Prototype Pollution (CWE-1321) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of known vulnerabilities like CVE-2024-57077 by patching or replacing the vulnerable utils-extend library.

SI-10 Information Input Validation partial match

prevent

Validates untrusted inputs to block prototype pollution payloads targeting the lib.extend function in utils-extend.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables scanning and monitoring to identify the presence of the vulnerable utils-extend version 1.0.8 in system components.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Remote unauthenticated exploitation of a public-facing JS library via crafted input enabling prototype pollution and high-impact integrity/availability effects.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The latest version of utils-extend (1.0.8) is vulnerable to Prototype Pollution through the entry function(s) lib.extend. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS)…

a the minimum consequence.

Deeper analysisAI

CVE-2024-57077 is a prototype pollution vulnerability in the latest version of the utils-extend JavaScript library (1.0.8). The issue resides in the lib.extend entry function, which allows an attacker to supply a payload that sets properties on Object.prototype. This enables the introduction or modification of properties within the global prototype chain.

The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating it is exploitable remotely by unauthenticated attackers with low complexity and no user interaction. Exploitation can at minimum cause denial of service (DoS), with potential for high integrity and availability impacts through prototype chain manipulation (CWE-1321).

Mitigation details are available in the advisory referenced at https://gist.github.com/tariqhawis/64bac50f8c2706e6880e45d50a507114. The CVE was published on 2025-02-05.

Details

CWE(s): CWE-1321

CVEs Like This One

CVE-2026-28794Shared CWE-1321

CVE-2024-38988Shared CWE-1321

CVE-2025-61140Shared CWE-1321

CVE-2026-34221Shared CWE-1321

CVE-2026-29063Shared CWE-1321

CVE-2026-32621Shared CWE-1321

CVE-2025-66456Shared CWE-1321

CVE-2026-32878Shared CWE-1321

CVE-2026-35209Shared CWE-1321

CVE-2026-33994Shared CWE-1321

References

https://gist.github.com/tariqhawis/64bac50f8c2706e6880e45d50a507114
cve@mitre.org