Cyber Posture

CVE-2024-38988

CriticalPublic PoC

Published: 28 March 2025

Published
28 March 2025
Modified
14 April 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0038 59.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-38988 is a prototype pollution vulnerability in alizeait unflatto versions up to and including 1.0.2. The flaw occurs via the exports.unflatto method located at /dist/index.js, enabling attackers to inject arbitrary properties into object prototypes.

With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is exploitable over the network by unauthenticated attackers requiring low complexity and no user interaction. Exploitation allows remote attackers to execute arbitrary code or trigger a Denial of Service (DoS) condition, as classified under CWE-1321: Improperly Controlled Modification of Object Prototype Attributes.

Further details are available in the referenced advisory at https://gist.github.com/mestrtee/4c5dfb66bea377889c44dd6c8af28713.

Details

CWE(s)
CWE-1321

Affected Products

alizeait
unflatto
≤ 1.0.2

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The remotely exploitable prototype pollution vulnerability in a library allows unauthenticated attackers to achieve arbitrary code execution or DoS over the network, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References