CVE-2024-57064
Published: 05 February 2025
Description
A prototype pollution in the lib.setValue function of @syncfusion/ej2-spreadsheet v27.2.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. NOTE: the Supplier disputes this because they found that the lib.setValue function is not utilized.
Security Summary
CVE-2024-57064 is a prototype pollution vulnerability (CWE-1321) in the lib.setValue function of the @syncfusion/ej2-spreadsheet npm package version 27.2.2. Published on 2025-02-05, it enables attackers to trigger a Denial of Service (DoS) by supplying a crafted payload. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The supplier disputes the issue, asserting that the lib.setValue function is not utilized.
Attackers can exploit this remotely over the network with low attack complexity, requiring no privileges, authentication, or user interaction. Exploitation involves injecting a crafted payload into the vulnerable function, resulting in high-impact disruption to availability and causing a DoS condition without affecting confidentiality or integrity.
Advisories provide limited mitigation details, with the primary reference being a GitHub Gist at https://gist.github.com/tariqhawis/1b40dc7f3836813663c871535039760e. Practitioners should verify usage of the lib.setValue function in affected deployments and consider upgrading to newer versions of @syncfusion/ej2-spreadsheet if available, while awaiting further clarification on the supplier's dispute.
Details
- CWE(s)