CVE-2024-57077

Critical

Published: 05 February 2025

Published

05 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0021 43.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The latest version of utils-extend (1.0.8) is vulnerable to Prototype Pollution through the entry function(s) lib.extend. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence.

Security Summary

CVE-2024-57077 is a prototype pollution vulnerability in the latest version of the utils-extend JavaScript library (1.0.8). The issue resides in the lib.extend entry function, which allows an attacker to supply a payload that sets properties on Object.prototype. This enables the introduction or modification of properties within the global prototype chain.

The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating it is exploitable remotely by unauthenticated attackers with low complexity and no user interaction. Exploitation can at minimum cause denial of service (DoS), with potential for high integrity and availability impacts through prototype chain manipulation (CWE-1321).

Mitigation details are available in the advisory referenced at https://gist.github.com/tariqhawis/64bac50f8c2706e6880e45d50a507114. The CVE was published on 2025-02-05.

Details

CWE(s): CWE-1321

References

https://gist.github.com/tariqhawis/64bac50f8c2706e6880e45d50a507114
cve@mitre.org