Cyber Posture

CVE-2024-38985

CriticalPublic PoC

Published: 28 March 2025

Published
28 March 2025
Modified
30 April 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0116 78.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse various implementations of JavaScript for execution.

Security Summary

CVE-2024-38985 is a prototype pollution vulnerability affecting janryWang products depath v1.0.6 and cool-path v1.1.2. The flaw occurs via the set() method at setIn (lib/index.js:90), enabling attackers to inject arbitrary properties into prototypes. Published on 2025-03-28, it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-1321.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation allows arbitrary code execution or denial of service (DoS) by injecting malicious properties that pollute object prototypes.

Advisories and related resources include a GitHub issue for depath at https://github.com/janryWang/depath/issues/11 and a proof-of-concept gist at https://gist.github.com/mestrtee/32c0a48023036e51918f6a098f21953d.

Details

CWE(s)
CWE-1321

Affected Products

janrywang
depath
1.0.6, 1.1.2

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

Remote unauthenticated RCE via prototype pollution in exposed JS library directly enables T1190 (public-facing app exploitation) and T1059.007 (JavaScript command execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References