CVE-2022-24279 – CVE-2022-24279 is a prototype pollution vulnera... (How to Fix)

📋 TL;DR

CVE-2022-24279 is a prototype pollution vulnerability in madlib-object-utils package versions before 0.1.8. Attackers can exploit the setValue method to merge malicious object prototypes, potentially modifying application behavior or executing arbitrary code. This affects any application using vulnerable versions of this JavaScript utility library.

💻 Affected Systems

Products:

madlib-object-utils

Versions: All versions before 0.1.8

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: This vulnerability is an incomplete fix of CVE-2020-7701, affecting the same package

📦 What is this software?

Madlib Object Utils by Springtree

View all CVEs affecting Madlib Object Utils →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or service disruption

🟠

Likely Case

Application manipulation leading to denial of service, data corruption, or privilege escalation

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially causing application errors

🌐 Internet-Facing: HIGH - Web applications using this library are directly exposed to exploitation

🏢 Internal Only: MEDIUM - Internal applications could be exploited through authenticated access or lateral movement

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires attacker-controlled input to the setValue method, which is commonly used in web applications

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.1.8 and later

Vendor Advisory: https://github.com/Qwerios/madlib-object-utils/commit/8d5d54c11c8fb9a7980a99778329acd13e3ef98f

Restart Required: Yes

Instructions:

1. Update package.json to require madlib-object-utils version 0.1.8 or higher
2. Run 'npm update madlib-object-utils'
3. Restart all affected applications
4. Test application functionality

🔧 Temporary Workarounds

Input validation wrapper

all

Wrap setValue calls with input validation to reject suspicious object structures

// JavaScript code to validate inputs before calling setValue
function safeSetValue(obj, path, value) {
  if (typeof path === 'string' && path.includes('__proto__') || path.includes('constructor')) {
    throw new Error('Invalid path');
  }
  return setValue(obj, path, value);
}

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to limit script execution
Deploy web application firewall (WAF) rules to detect and block prototype pollution attempts

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for madlib-object-utils version <0.1.8

Check Version:

npm list madlib-object-utils | grep madlib-object-utils

Verify Fix Applied:

Verify installed version is 0.1.8 or higher using npm list madlib-object-utils

📡 Detection & Monitoring

Log Indicators:

Unusual application errors related to object manipulation
Unexpected property assignments in application logs

Network Indicators:

HTTP requests containing __proto__ or constructor in payloads
Unusual API calls to object manipulation endpoints

SIEM Query:

source="application_logs" AND ("__proto__" OR "constructor" OR "prototype pollution")

📊 Metadata

CVE ID: CVE-2022-24279

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-1321

Published: April 15, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/Qwerios/madlib-object-utils/commit/8d5d54c11c8fb9a7980a99778329acd13e3ef98f Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-MADLIBOBJECTUTILS-2388572 Exploit,Patch,Third Party Advisory
https://github.com/Qwerios/madlib-object-utils/commit/8d5d54c11c8fb9a7980a99778329acd13e3ef98f Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-MADLIBOBJECTUTILS-2388572 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24279, you might also want to check these: