CVE-2024-57078

CVE-2024-57078 is a prototype pollution vulnerability in the lib.merge function of cli-util version 1.1.27. This flaw allows attackers to supply a crafted payload that pollutes the JavaScript prototype chain, leading to a Denial of Service (DoS) condition. The vulnerability is classified under CWE-1321 and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for significant availability impact without requiring authentication or user interaction.

The attack scenario involves remote attackers who can exploit this vulnerability over the network with low complexity. No privileges or user interaction are needed, enabling unauthenticated attackers to send a specially crafted payload to applications using the affected cli-util library. Successful exploitation results in a DoS, disrupting service availability by crashing or hanging the targeted application.

Advisories and additional details are provided in the reference at https://gist.github.com/tariqhawis/b58d7274d67e7b9fed4bd51368388a23, which likely includes proof-of-concept information or further technical analysis relevant to mitigation strategies.