CVE-2024-57071

CVE-2024-57071 is a prototype pollution vulnerability in the lib.combine function of php-parser version 3.2.1. This flaw allows attackers to supply a crafted payload that pollutes the JavaScript prototype chain, leading to a Denial of Service (DoS) condition. The vulnerability is classified under CWE-1321 (Prototype Pollution) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its impact on availability.

The attack requires no authentication or user interaction, making it exploitable by unauthenticated attackers over the network with low complexity. By sending a specially crafted payload to an application using the vulnerable php-parser v3.2.1 library, attackers can trigger the prototype pollution in lib.combine, resulting in resource exhaustion or application crashes that disrupt service availability without affecting confidentiality or integrity.

Advisories reference a GitHub Gist at https://gist.github.com/tariqhawis/b56500d3a8866467ee769df7453eedaa, which likely contains proof-of-concept details for the vulnerability, though specific patch or mitigation guidance is not detailed in available information.