CVE-2024-57084

High

Published: 05 February 2025

Published

05 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0019 40.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A prototype pollution in the function lib.parse of dot-properties v1.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

Security Summary

CVE-2024-57084 is a prototype pollution vulnerability in the lib.parse function of the dot-properties package version 1.0.1. This issue allows attackers to supply a crafted payload that triggers a Denial of Service (DoS) condition. The vulnerability is associated with CWE-1321 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for significant availability disruption.

Remote attackers can exploit this vulnerability over the network without authentication or user interaction, requiring only low complexity. By providing a specially crafted input to the affected parsing function, they can pollute the JavaScript prototype chain, leading to application crashes or excessive resource consumption that denies service to legitimate users.

Advisories and further details are available in the referenced GitHub Gist at https://gist.github.com/tariqhawis/3dbeb208c3e22f90a601818ccd06a948.

Details

CWE(s): CWE-1321

References

https://gist.github.com/tariqhawis/3dbeb208c3e22f90a601818ccd06a948
cve@mitre.org