Cyber Resilience

CVE-2024-57083

HighPublic PoC

Published: 28 March 2025

Published
28 March 2025
Modified
14 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0004 14.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57083 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Redocly Redoc. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-57083 is a prototype pollution vulnerability in the Module.mergeObjects component, located at redoc/bundles/redoc.lib.js:2, affecting Redoc versions 2.2.0 and earlier. Published on 2025-03-28, the flaw allows attackers to cause a Denial of Service (DoS) condition by supplying a crafted payload. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is classified under CWE-1321.

The vulnerability enables remote exploitation over the network with low complexity, requiring no authentication privileges or user interaction. Attackers can trigger it by delivering a specially crafted payload to affected Redoc instances, resulting in high-impact disruption to availability while leaving confidentiality and integrity unaffected.

Mitigation details are available in the referenced GitHub issue at https://github.com/Redocly/redoc/issues/2499.

EU & UK References

Vulnerability details

A prototype pollution in the component Module.mergeObjects (redoc/bundles/redoc.lib.js:2) of redoc <= 2.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Prototype pollution enables remote exploitation of public-facing Redoc application (T1190) to trigger application-level DoS via crafted payload (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-8083Shared CWE-1321
CVE-2026-33993Shared CWE-1321
CVE-2026-30939Shared CWE-1321
CVE-2026-30226Shared CWE-1321
CVE-2024-57080Shared CWE-1321
CVE-2024-57066Shared CWE-1321
CVE-2024-57067Shared CWE-1321
CVE-2024-57069Shared CWE-1321
CVE-2024-12629Shared CWE-1321
CVE-2026-24888Shared CWE-1321

Affected Assets

redocly
redoc
≤ 2.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the prototype pollution flaw in Redoc <=2.2.0 by identifying, testing, and deploying vendor patches.

prevent

Prevents DoS exploitation by validating and sanitizing crafted payloads supplied to the vulnerable Module.mergeObjects function.

prevent

Mitigates the high-impact availability disruption from prototype pollution-induced DoS through resource allocation and traffic filtering.

References