CVE-2024-12629 – This CVE describes a prototype pollution vulner... (How to Fix)

Q: What is the severity of CVE-2024-12629?

CVE-2024-12629 has a CVSS score of 4.1 (MEDIUM). This CVE describes a prototype pollution vulnerability in Progress Telerik KendoReact components where attackers can inject malicious properties into global prototypes. This can lead to denial of service or command injection attacks. Organizations using KendoReact versions v3.5.0 through v9.4.0 in their React applications are affected.

📋 TL;DR

This CVE describes a prototype pollution vulnerability in Progress Telerik KendoReact components where attackers can inject malicious properties into global prototypes. This can lead to denial of service or command injection attacks. Organizations using KendoReact versions v3.5.0 through v9.4.0 in their React applications are affected.

💻 Affected Systems

Products:

Progress Telerik KendoReact UI components

Versions: v3.5.0 through v9.4.0

Operating Systems: All platforms running React applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects React applications using vulnerable KendoReact components. The vulnerability exists in the JavaScript/TypeScript code, not in server-side components.

📦 What is this software?

Kendoreact by Progress

View all CVEs affecting Kendoreact →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service causing application crashes or instability, potentially disrupting business operations.

🟢

If Mitigated

Limited impact with proper input validation and security controls in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires understanding of prototype pollution techniques and access to user input vectors in the application.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v9.5.0 and later

Vendor Advisory: https://www.telerik.com/kendo-react-ui/components/knowledge-base/kb-security-protoype-pollution-2024-12629

Restart Required: No

Instructions:

1. Update KendoReact package to v9.5.0 or later using npm or yarn. 2. Run npm update @progress/kendo-react-* or yarn upgrade @progress/kendo-react-*. 3. Rebuild and redeploy your React application.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation and sanitization for all user-controlled data before processing by KendoReact components.

Object.freeze on prototypes

all

Use Object.freeze() on critical prototype objects to prevent property injection.

Object.freeze(Object.prototype);
Object.freeze(Array.prototype);

🧯 If You Can't Patch

Implement WAF rules to detect and block prototype pollution patterns in HTTP requests.
Isolate vulnerable applications in network segments with restricted access and monitor for anomalous behavior.

🔍 How to Verify

Check if Vulnerable:

Check package.json for @progress/kendo-react-* dependencies with versions between 3.5.0 and 9.4.0 inclusive.

Check Version:

npm list @progress/kendo-react-* | grep @progress/kendo-react-

Verify Fix Applied:

Verify package.json shows @progress/kendo-react-* dependencies at version 9.5.0 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual application crashes or restarts
Error logs containing prototype-related JavaScript errors
Unexpected property assignments in object logs

Network Indicators:

HTTP requests with unusual property names in JSON payloads
Requests containing __proto__ or constructor properties

SIEM Query:

source="application_logs" AND ("prototype" OR "__proto__" OR "constructor") AND severity="ERROR"

📊 Metadata

CVE ID: CVE-2024-12629

CVSS v3 Score: 4.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-1321

EPSS Score: 0.18% exploit probability (40th percentile)

Published: February 12, 2025

Last Updated: June 27, 2025

🔗 References

https://www.telerik.com/kendo-react-ui/components/knowledge-base/kb-security-protoype-pollution-2024-12629 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12629, you might also want to check these: