CVE-2024-57072

CVE-2024-57072 is a prototype pollution vulnerability in the lib.requireFromString function of the module-from-string package at version 3.3.1. This flaw allows attackers to supply a crafted payload that pollutes the JavaScript prototype chain, leading to a Denial of Service (DoS) condition. The vulnerability is classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its impact on availability.

The vulnerability can be exploited remotely over the network by unauthenticated attackers with no privileges or user interaction required. An attacker simply needs to provide a malicious payload to an application using the affected function, triggering prototype pollution that disrupts normal execution and causes the service to crash or become unresponsive, resulting in a DoS.

For mitigation details, refer to the advisory at https://gist.github.com/tariqhawis/8b1fe301dd1ea52952cef347daddee67.