CVE-2024-57085

High

Published: 05 February 2025

Published

05 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0027 50.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57085 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 49.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires timely patching of the prototype pollution vulnerability in @stryker-mutator/util v8.6.0 to prevent DoS via crafted payloads.

SI-10 Information Input Validation good match

prevent

Information input validation ensures crafted payloads targeting the deepMerge function are rejected before polluting the JavaScript prototype chain.

SC-5 Denial-of-service Protection good match

prevent

Denial-of-service protection implements resource limits to mitigate uncontrolled consumption caused by prototype pollution exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Prototype pollution in deepMerge directly enables remote exploitation of the application for DoS via uncontrolled resource consumption.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A prototype pollution in the function deepMerge of @stryker-mutator/util v8.6.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

Deeper analysisAI

CVE-2024-57085 is a prototype pollution vulnerability in the deepMerge function of the @stryker-mutator/util package version 8.6.0. This flaw allows attackers to supply a crafted payload that pollutes the JavaScript prototype chain, leading to a Denial of Service (DoS) condition. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its impact on availability.

The vulnerability can be exploited remotely over the network by unauthenticated attackers with low complexity and no user interaction required. By providing a specially crafted input to the deepMerge function, attackers can trigger excessive resource consumption, causing the application to crash or become unresponsive, resulting in a DoS. There is no impact on confidentiality or integrity, but the high availability impact makes it suitable for disrupting services that rely on this utility package.

For mitigation details, refer to the advisory at https://gist.github.com/tariqhawis/f59355f62dad6f8b53b42317f143ba0c, which provides proof-of-concept information published on 2025-02-05.

Details

CWE(s): CWE-400

CVEs Like This One

CVE-2025-9464Shared CWE-400

CVE-2024-53458Shared CWE-400

CVE-2024-56921Shared CWE-400

CVE-2026-33538Shared CWE-400

CVE-2025-9280Shared CWE-400

CVE-2026-28412Shared CWE-400

CVE-2026-33750Shared CWE-400

CVE-2026-34290Shared CWE-400

CVE-2025-70047Shared CWE-400

CVE-2025-9465Shared CWE-400

References

https://gist.github.com/tariqhawis/f59355f62dad6f8b53b42317f143ba0c
cve@mitre.org