CVE-2024-57083
Published: 28 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2024-57083 is a prototype pollution vulnerability in the Module.mergeObjects component, located at redoc/bundles/redoc.lib.js:2, affecting Redoc versions 2.2.0 and earlier. Published on 2025-03-28, the flaw allows attackers to cause a Denial of Service (DoS) condition by supplying a crafted payload. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is classified under CWE-1321.
The vulnerability enables remote exploitation over the network with low complexity, requiring no authentication privileges or user interaction. Attackers can trigger it by delivering a specially crafted payload to affected Redoc instances, resulting in high-impact disruption to availability while leaving confidentiality and integrity unaffected.
Mitigation details are available in the referenced GitHub issue at https://github.com/Redocly/redoc/issues/2499.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Prototype pollution enables remote exploitation of public-facing Redoc application (T1190) to trigger application-level DoS via crafted payload (T1499.004).