CVE-2024-57085

CVE-2024-57085 is a prototype pollution vulnerability in the deepMerge function of the @stryker-mutator/util package version 8.6.0. This flaw allows attackers to supply a crafted payload that pollutes the JavaScript prototype chain, leading to a Denial of Service (DoS) condition. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its impact on availability.

The vulnerability can be exploited remotely over the network by unauthenticated attackers with low complexity and no user interaction required. By providing a specially crafted input to the deepMerge function, attackers can trigger excessive resource consumption, causing the application to crash or become unresponsive, resulting in a DoS. There is no impact on confidentiality or integrity, but the high availability impact makes it suitable for disrupting services that rely on this utility package.

For mitigation details, refer to the advisory at https://gist.github.com/tariqhawis/f59355f62dad6f8b53b42317f143ba0c, which provides proof-of-concept information published on 2025-02-05.