CVE-2024-57074

CVE-2024-57074 is a prototype pollution vulnerability in the lib.merge function of xe-utils version 3.5.31. This flaw allows attackers to supply a crafted payload that triggers a Denial of Service (DoS) condition. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high severity primarily due to its impact on availability, and is associated with CWE-400 (Uncontrolled Resource Consumption).

The vulnerability can be exploited remotely over the network with low complexity, requiring no privileges, user interaction, or changes in scope. Any unauthenticated attacker able to interact with an application using the affected xe-utils lib.merge function can supply a malicious payload, leading to resource exhaustion and DoS, disrupting service availability without compromising confidentiality or integrity.

Further details, including a proof-of-concept, are available in the advisory at https://gist.github.com/tariqhawis/82e3eb472d03273a74e40242e8356297. Practitioners should review this reference for reproduction steps and potential mitigation guidance, such as upgrading to a patched version of xe-utils if available.