CVE-2024-12629

Medium

Published: 12 February 2025

Published

12 February 2025

Modified

27 June 2025

KEV Added

—

Patch

—

CVSS Score 4.1 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0005 16.0th percentile

Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Description

In Progress® Telerik® KendoReact versions v3.5.0 through v9.4.0, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection.

Security Summary

CVE-2024-12629 is a prototype pollution vulnerability in Progress Telerik KendoReact versions v3.5.0 through v9.4.0. It enables an attacker to introduce or modify properties within the global prototype chain, which can lead to denial of service or command injection. The issue is classified under CWE-1321 and carries a CVSS v3.1 base score of 4.1 (AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L).

Exploitation is possible over the network by an attacker with high privileges, though it requires high attack complexity and no user interaction. Upon success, the attacker can achieve low-level impacts on confidentiality, integrity, and availability, aligning with the potential for denial of service or command injection as described.

The Telerik knowledge base provides details on mitigation in their security advisory at https://www.telerik.com/kendo-react-ui/components/knowledge-base/kb-security-protoype-pollution-2024-12629.

Details

CWE(s): CWE-1321

Affected Products

progress

kendoreact

3.5.0 — 9.4.0

References

https://www.telerik.com/kendo-react-ui/components/knowledge-base/kb-security-protoype-pollution-2024-12629
Vendor Advisory · security@progress.com